From bobk at ocf.berkeley.edu Sat Apr 1 06:43:18 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 31 Mar 2006 22:43:18 -0800 Subject: Empty trash in Gnome In-Reply-To: <1143746339.24555.259.camel@moss-spartans.epoch.ncsc.mil> References: <442C2703.3090208@fedora.pl> <1143744871.24555.251.camel@moss-spartans.epoch.ncsc.mil> <442C2D0E.3030509@fedora.pl> <1143746339.24555.259.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1143873798.2345.2.camel@chaucer> On Thu, 2006-03-30 at 14:18 -0500, Stephen Smalley wrote: > On Thu, 2006-03-30 at 21:10 +0200, Dawid Gajownik wrote: > > Well, I don't know :) I'm a KDE user and I know nothing about Gnome > > internals. This link gave me some tips ? > > http://bugzilla.gnome.org/show_bug.cgi?id=171073 (search for hal). > > > > ~/.gnome/gnome-vfs/.trash_entry_cache is not updated correctly without > > updated SELinux policy. > > Ok, per that bugzilla, nautilus asks hald for the set of mounted > volumes, so that explains why hald just wants to stat /home as an > existence test. So hald actually needs getattr to all mounted > directories. I can confirm this. Dan, can you fix this please: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184473 Bob -- Bob Kashani http://www.gnome.org/~bobk/ From olivares14031 at yahoo.com Sat Apr 1 08:51:47 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST) Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 Message-ID: <20060401085147.91904.qmail@web52610.mail.yahoo.com> Dear all, I decided to install latest FC4 kernel 2.6.16-1.2069_FC4 or so. Upon booting I can no longer surf the internet. I get some avc denied messages from dmesg. How can I fix this issue? I do not want to disable selinux. TIA, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- A non-text attachment was scrubbed... Name: dmesg-selinux04012006.log Type: text/x-log Size: 15583 bytes Desc: 4111971101-dmesg-selinux04012006.log URL: From rmy at tigress.co.uk Sat Apr 1 09:42:29 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Sat, 1 Apr 2006 10:42:29 +0100 (BST) Subject: Sharing partitions between FC4 and FC5 Message-ID: <200604010942.k319gTJh026285@tiffany.internal.tigress.co.uk> I've installed FC5 alongside FC4. Initially I just gave FC5 its own /, /var and /usr partitions but then edited /etc/fstab to add partitions that I want to share between FC4 and FC5: things like /home and /opt. For each OS I use a different login with separate home directories. This avoids problems with GNOME configurations and the like. Then I rebooted into FC5 and forced a relabel. FC5 works fine but I'm now unable to login to the GNOME desktop in FC4 unless I set enforcing=0 on boot. When I do that the log rapidly fills up with lines like: Apr 1 10:30:24 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352500 I'll attach the log messages I get when I try to login with SELinux in enforcing mode. Ron --- Apr 1 10:20:43 random gdm(pam_unix)[2868]: session opened for user rmy by (uid=0) Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_dir_t:s0) returned 22 for dev=dm-1 ino=352024 Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352336 Apr 1 10:20:52 random gdm[2868]: gdm_auth_user_add: Could not lock cookie file /home/rmyfc4/.Xauthority Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352894 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=353188 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352496 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352341 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352335 Apr 1 10:20:54 random gconfd (rmy-2984): starting (version 2.10.0), pid 2984 user 'rmy' Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352349 Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readwrite:/home/rmyfc4/.gconf" to a read-only configuration source at position 1 Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Apr 1 10:20:54 random gconfd (rmy-2984): None of the resolved addresses are writable; saving configuration settings will not be possible Apr 1 10:20:54 random gconfd (rmy-2984): No writable config sources successfully resolved, may not be able to save some configuration changes Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352072 Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352350 [snip] Apr 1 10:20:55 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352897 Apr 1 10:21:15 random gdm(pam_unix)[2868]: session closed for user rmy Apr 1 10:21:15 random dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0 Apr 1 10:21:24 random gconfd (rmy-2984): Could not open saved state file '/home/rmyfc4/.gconfd/saved_state.tmp' for writing: Permission denied From olivares14031 at yahoo.com Sat Apr 1 17:57:40 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sat, 1 Apr 2006 09:57:40 -0800 (PST) Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 Message-ID: <20060401175740.57441.qmail@web52601.mail.yahoo.com> RE: nfs avc messages with kernel-2.6.16-1.2069_FC4 Message: 6 Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST) From: Antonio Olivares Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 To: fedora-selinux-list at redhat.com Message-ID: <20060401085147.91904.qmail at web52610.mail.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" Dear all, I decided to install latest FC4 kernel 2.6.16-1.2069_FC4 or so. Upon booting I can no longer surf the internet. I get some avc denied messages from dmesg. How can I fix this issue? I do not want to disable selinux. TIA, Antonio ====================================================== Here are the avc's. Since they were not present in the previous email to fedora-selinux-list at redhat.com I do not want to disable selinux to be able to surf the internet. How can I take care of this? I appreciate all comments/help I can get. SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack audit(1143912938.407:2): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143912938.447:3): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143912938.463:4): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association Also on another machine I installed kernel-2.6.16.1 to an FC3 machine with selinux disabled and I tried to reenable it since this kernel comes with selinux in its options and i compiled it in. Yet when I rebooted it gave me a kernel panic that no policy was in place. How should I define such a policy? Is there a tarball somewhere that I can get, or suggestions since FC3 is in legacy already? Regards, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From fedora at grifent.com Sat Apr 1 17:19:11 2006 From: fedora at grifent.com (John Griffiths) Date: Sat, 01 Apr 2006 12:19:11 -0500 Subject: Plugins for Firefox and others common programs disallowed access Message-ID: <442EB60F.6040301@grifent.com> An HTML attachment was scrubbed... URL: From i.pilcher at comcast.net Sat Apr 1 21:47:06 2006 From: i.pilcher at comcast.net (Ian Pilcher) Date: Sat, 01 Apr 2006 15:47:06 -0600 Subject: Overriding default file contexts? Message-ID: Perhaps there's a way to do this, and I simply don't know it. I just finished manually relabeling the Acrobat Reader libraries and plug-ins. Of course, if I ever have to relabel my filesystem, I'll have to do this again. Wouldn't it be nice if I could put file in a directory, .file_contexts for example, give it a special context (file_context_t?) which would never be changed, and specify contexts that would override the policy default contexts. It sure seems like this could save some pain. -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From fedora at grifent.com Sat Apr 1 21:47:46 2006 From: fedora at grifent.com (John Griffiths) Date: Sat, 01 Apr 2006 16:47:46 -0500 Subject: Plugins for Firefox and others common programs disallowed access Message-ID: <442EF502.2000202@grifent.com> An HTML attachment was scrubbed... URL: From steve at szmidt.org Sat Apr 1 22:09:21 2006 From: steve at szmidt.org (steve szmidt) Date: Sat, 1 Apr 2006 17:09:21 -0500 Subject: Plugins for Firefox and others common programs disallowed access In-Reply-To: <442EF502.2000202@grifent.com> References: <442EF502.2000202@grifent.com> Message-ID: <200604011709.21812.steve@szmidt.org> On Saturday 01 April 2006 16:47, John Griffiths wrote: > !DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> > html> > head> > meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> > title>/title> > /head> > body bgcolor="#ffffff" text="#000000"> > Was poking around in the selinux FAQs fro FC 5 and found:br> Please don't use html on lists. -- Steve Szmidt "For evil to triumph all that is needed is for good men to do nothing. Edmund Burke From gajownik at fedora.pl Sat Apr 1 22:14:00 2006 From: gajownik at fedora.pl (Dawid Gajownik) Date: Sun, 02 Apr 2006 00:14:00 +0200 Subject: Plugins for Firefox and others common programs disallowed access In-Reply-To: <442EF502.2000202@grifent.com> References: <442EF502.2000202@grifent.com> Message-ID: <442EFB28.7070008@fedora.pl> Dnia 04/01/2006 11:52 PM, U?ytkownik John Griffiths napisa?: > This is usually based on a library label. You can change the > context on the library with the *chcon -t testrel_shlib_t > /|LIBRARY|/*. Now your application can run. Please report this > as a bugzilla. You have found a bug in documentation :) Should be textrel_shlib_t instead of testrel_shlib_t. -- ^_* From fedora at grifent.com Sat Apr 1 22:34:24 2006 From: fedora at grifent.com (John Griffiths) Date: Sat, 01 Apr 2006 17:34:24 -0500 Subject: Plugins for Firefox and others common programs disallowed access In-Reply-To: <442EFB28.7070008@fedora.pl> References: <442EF502.2000202@grifent.com> <442EFB28.7070008@fedora.pl> Message-ID: <442EFFF0.2040808@grifent.com> An HTML attachment was scrubbed... URL: From sundaram at fedoraproject.org Sat Apr 1 22:46:19 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sun, 02 Apr 2006 04:16:19 +0530 Subject: Plugins for Firefox and others common programs disallowed access In-Reply-To: <442EFFF0.2040808@grifent.com> References: <442EF502.2000202@grifent.com> <442EFB28.7070008@fedora.pl> <442EFFF0.2040808@grifent.com> Message-ID: <1143931579.3783.18.camel@sundaram.pnq.redhat.com> On Sat, 2006-04-01 at 17:34 -0500, John Griffiths wrote: > Thank you. As a developer, I know documentation is the last thing to > get my attention. But, being on the receiving end this time, I get the > idea why it is so important. :-D > > Is this the "normal" way to get around libraries that want to > execmod ? Having to run these commands by themselves isnt exactly what I consider normal but it appears to be a valid workaround. > Should I bugzilla all the libraries I have found that need to > execmod ? Yes. Rahul From hhoffman at ip-solutions.net Sat Apr 1 23:15:42 2006 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Sat, 01 Apr 2006 18:15:42 -0500 Subject: Small bug in apache.fc Message-ID: <442F099E.4070600@ip-solutions.net> Hi, apache.fc allows for webroot location to be under /srv but selinux currently stops apache from searching under /srv (at least this seems to be the case to me, but I'm fairly new to selinux). From: file_contexts/program/apache.fc /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t a ls -lZ of / shows: drwxr-xr-x root root system_u:object_r:default_t srv running audit2allow -i /var/log/messages shows: allow httpd_t default_t:dir search; adding a local.te policy with: allow httpd_t default_t:dir search; fixes the problem and allows httpd to start without issue. Cheers, Harry -- Harry Hoffman Integrated Portable Solutions, LLC 877.846.5927 ext 1000 http://www.ip-solutions.net/ From fedora at grifent.com Sat Apr 1 23:57:07 2006 From: fedora at grifent.com (John Griffiths) Date: Sat, 01 Apr 2006 18:57:07 -0500 Subject: Plugins for Firefox and others common programs disallowed access In-Reply-To: <1143931579.3783.18.camel@sundaram.pnq.redhat.com> References: <442EF502.2000202@grifent.com> <442EFB28.7070008@fedora.pl> <442EFFF0.2040808@grifent.com> <1143931579.3783.18.camel@sundaram.pnq.redhat.com> Message-ID: <442F1353.9030501@grifent.com> An HTML attachment was scrubbed... URL: From olivares14031 at yahoo.com Sun Apr 2 01:56:27 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sat, 1 Apr 2006 17:56:27 -0800 (PST) Subject: changed selinux to permissive get new avcs Message-ID: <20060402015627.5315.qmail@web52607.mail.yahoo.com> Dear all, As I had some previous trouble with selinux, and have gotten little to no advice, I read through the fedora wiki, and fedora selinux-faq and previous knowlege/advice from fedora-list I did a ./touchrelabel and reboot. I could still not connect to internet with latest FC4 kernel (2.6.16-1.2069_FC4). I have changed selinux mode to permissive mode and I get new avc's. SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack audit(1143945599.518:2): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:3): avc: denied { recvfrom } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:4): avc: denied { sendto } for pid=1602 comm="portmap" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:5): avc: denied { recvfrom } for pid=1602 comm="portmap" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts I will post inline complete dmesg to get better advice. [root at localhost ~]# dmesg Linux version 2.6.16-1.2069_FC4 (bhcompile at hs20-bc1-7.build.redhat.com) (gcc version 4.0.2 20051125 (Red Hat 4.0.2-8)) #1 Tue Mar 28 12:19:10 EST 2006 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 0000000017ff0000 (usable) BIOS-e820: 0000000017ff0000 - 0000000017ff3000 (ACPI NVS) BIOS-e820: 0000000017ff3000 - 0000000018000000 (ACPI data) BIOS-e820: 00000000ffff0000 - 0000000100000000 (reserved) 0MB HIGHMEM available. 383MB LOWMEM available. Using x86 segment limits to approximate NX protection On node 0 totalpages: 98288 DMA zone: 4096 pages, LIFO batch:0 DMA32 zone: 0 pages, LIFO batch:0 Normal zone: 94192 pages, LIFO batch:31 HighMem zone: 0 pages, LIFO batch:0 DMI 2.2 present. ACPI: RSDP (v000 AWARD ) @ 0x000f6280 ACPI: RSDT (v001 AWARD AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x17ff3000 ACPI: FADT (v001 AWARD AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x17ff3040 ACPI: DSDT (v001 AWARD AWRDACPI 0x00001000 MSFT 0x0100000c) @ 0x00000000 ACPI: PM-Timer IO Port: 0x508 Allocating PCI resources starting at 20000000 (gap: 18000000:e7ff0000) Built 1 zonelists Kernel command line: ro root=/dev/VolGroup00/LogVol00 rhgb quiet Local APIC disabled by BIOS -- you can enable it with "lapic" mapped APIC to ffffd000 (01304000) Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 CPU 0 irqstacks, hard=c040a000 soft=c040b000 PID hash table entries: 2048 (order: 11, 32768 bytes) Detected 1466.863 MHz processor. Using pmtmr for high-res timesource Console: colour VGA+ 80x25 Dentry cache hash table entries: 65536 (order: 6, 262144 bytes) Inode-cache hash table entries: 32768 (order: 5, 131072 bytes) Memory: 383964k/393152k available (2131k kernel code, 8656k reserved, 754k data, 200k init, 0k highmem) Checking if this processor honours the WP bit even in supervisor mode... Ok. Calibrating delay using timer specific routine.. 2937.06 BogoMIPS (lpj=5874126) Security Framework v1.0.0 initialized SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability Capability LSM initialized as secondary Mount-cache hash table entries: 512 CPU: After generic identify, caps: 0383f9ff c1c3f9ff 00000000 00000000 00000000 00000000 00000000 CPU: After vendor identify, caps: 0383f9ff c1c3f9ff 00000000 00000000 00000000 00000000 00000000 CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line) CPU: L2 Cache: 256K (64 bytes/line) CPU: After all inits, caps: 0383f1ff c1c3f9ff 00000000 00000020 00000000 00000000 00000000 Intel machine check architecture supported. Intel machine check reporting enabled on CPU#0. CPU: AMD Athlon(tm) XP 1700+ stepping 02 Checking 'hlt' instruction... OK. ACPI: setting ELCR to 0200 (from 0c20) checking if image is initramfs... it is Freeing initrd memory: 1645k freed NET: Registered protocol family 16 ACPI: bus type pci registered PCI: PCI BIOS revision 2.10 entry at 0xfb330, last bus=1 PCI: Using configuration type 1 ACPI: Subsystem revision 20060127 ACPI: Interpreter enabled ACPI: Using PIC for interrupt routing ACPI: PCI Root Bridge [PCI0] (0000:00) PCI: Probing PCI hardware (bus 00) ACPI: Assume root bridge [\_SB_.PCI0] bus is 0 Boot video device is 0000:00:09.0 PCI quirk: region 0500-053f claimed by ali7101 ACPI PCI quirk: region 0400-041f claimed by ali7101 SMB ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT] ACPI: PCI Interrupt Link [LNK1] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK2] (IRQs 1 3 4 5 6 7 *10 11 12 14 15) ACPI: PCI Interrupt Link [LNK3] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK4] (IRQs 1 3 4 5 6 7 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNK5] (IRQs 1 3 4 5 6 7 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNK6] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK7] (IRQs 1 3 4 5 6 7 10 11 12 14 15) *0, disabled. ACPI: PCI Interrupt Link [LNK8] (IRQs 1 3 4 *5 6 7 10 11 12 14 15) ACPI: PCI Interrupt Link [LNK9] (IRQs 1 3 4 5 6 7 10 *11 12 14 15) Linux Plug and Play Support v0.97 (c) Adam Belay pnp: PnP ACPI init pnp: PnP ACPI: found 13 devices usbcore: registered new driver usbfs usbcore: registered new driver hub PCI: Using ACPI for IRQ routing PCI: If a device doesn't work, try "pci=routeirq". If it helps, post a report PCI: Bridge: 0000:00:01.0 IO window: disabled. MEM window: disabled. PREFETCH window: disabled. PCI: Setting latency timer of device 0000:00:01.0 to 64 apm: BIOS version 1.2 Flags 0x07 (Driver version 1.16ac) apm: overridden by ACPI. audit: initializing netlink socket (disabled) audit(1143923979.008:1): initialized Total HugeTLB memory allocated, 0 VFS: Disk quotas dquot_6.5.1 Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) SELinux: Registering netfilter hooks Initializing Cryptographic API ksign: Installing public key data Loading keyring - Added public key 6D8AC7E0298FAC35 - User ID: Red Hat, Inc. (Kernel Module GPG key) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) Limiting direct PCI/PCI transfers. Activating ISA DMA hang workarounds. pci_hotplug: PCI Hot Plug PCI Core version: 0.5 ACPI: Fan [FAN] (on) ACPI: Processor [CPU0] (supports 2 throttling states) ACPI: Thermal Zone [THRM] (56 C) isapnp: Scanning for PnP cards... isapnp: No Plug & Play device found Real Time Clock Driver v1.12ac Linux agpgart interface v0.101 (c) Dave Jones agpgart: Detected ALi M1647 chipset agpgart: AGP aperture is 128M @ 0xd0000000 PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12 serio: i8042 AUX port at 0x60,0x64 irq 12 serio: i8042 KBD port at 0x60,0x64 irq 1 Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing enabled serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A 00:08: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A 00:09: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A ACPI: PCI Interrupt Link [LNK2] enabled at IRQ 10 PCI: setting IRQ 10 as level-triggered ACPI: PCI Interrupt 0000:00:0d.0[A] -> Link [LNK2] -> GSI 10 (level, low) -> IRQ 10 Couldn't register serial port 0000:00:0d.0: -28 RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ALI15X3: IDE controller at PCI slot 0000:00:04.0 ACPI: PCI Interrupt 0000:00:04.0[A]: no GSI ALI15X3: chipset revision 196 ALI15X3: not 100% native mode: will probe irqs later ide0: BM-DMA at 0xd400-0xd407, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xd408-0xd40f, BIOS settings: hdc:DMA, hdd:DMA Probing IDE interface ide0... hda: ST340016A, ATA DISK drive ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Probing IDE interface ide1... hdc: IDE DVD-ROM 16X, ATAPI CD/DVD-ROM drive hdd: RW-241040, ATAPI CD/DVD-ROM drive ide1 at 0x170-0x177,0x376 on irq 15 hda: max request size: 128KiB hda: 78165360 sectors (40020 MB) w/2048KiB Cache, CHS=65535/16/63, UDMA(100) hda: cache flushes not supported hda: hda1 hda2 hdc: ATAPI 48X DVD-ROM drive, 512kB Cache, UDMA(33) Uniform CD-ROM driver Revision: 3.20 hdd: ATAPI 40X CD-ROM CD-R/RW drive, 2048kB Cache, UDMA(33) ide-floppy driver 0.99.newide usbcore: registered new driver libusual usbcore: registered new driver hiddev usbcore: registered new driver usbhid drivers/usb/input/hid-core.c: v2.6:USB HID core driver mice: PS/2 mouse device common for all mice md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27 md: bitmap version 4.39 NET: Registered protocol family 2 input: AT Translated Set 2 keyboard as /class/input/input0 IP route cache hash table entries: 4096 (order: 2, 16384 bytes) TCP established hash table entries: 16384 (order: 6, 262144 bytes) TCP bind hash table entries: 16384 (order: 6, 327680 bytes) TCP: Hash tables configured (established 16384 bind 16384) TCP reno registered TCP bic registered Initializing IPsec netlink socket NET: Registered protocol family 1 NET: Registered protocol family 17 Using IPI Shortcut mode ACPI wakeup devices: PCI0 USB0 USB1 ACPI: (supports S0 S1 S4 S5) Freeing unused kernel memory: 200k freed Write protecting the kernel read-only data: 346k device-mapper: 4.5.0-ioctl (2005-10-04) initialised: dm-devel at redhat.com kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. input: ImPS/2 Generic Wheel Mouse as /class/input/input1 security: 3 users, 6 roles, 764 types, 87 bools security: 55 classes, 182383 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev inotifyfs, type inotifyfs), not configured for labeling SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Floppy drive(s): fd0 is 1.44M FDC 0 is a post-1991 82077 ACPI: PCI Interrupt Link [LNK4] enabled at IRQ 11 PCI: setting IRQ 11 as level-triggered ACPI: PCI Interrupt 0000:00:0b.0[A] -> Link [LNK4] -> GSI 11 (level, low) -> IRQ 11 3c59x: Donald Becker and others. www.scyld.com/network/vortex.html 0000:00:0b.0: 3Com PCI 3c905 Boomerang 100baseTx at 0001dc00. Vers LK1.1.19 ACPI: PCI Interrupt Link [LNK8] enabled at IRQ 5 PCI: setting IRQ 5 as level-triggered ACPI: PCI Interrupt 0000:00:03.0[A] -> Link [LNK8] -> GSI 5 (level, low) -> IRQ 5 AC'97 1 does not respond - RESET AC'97 1 access is not valid [0xffffffff], removing mixer. ali mixer 1 creating error. slamr: module license 'Smart Link Ltd.' taints kernel. slamr: SmartLink AMRMO modem. slamr: device 163c:3052 is grabbed by another driver ohci_hcd: 2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI) ACPI: PCI Interrupt Link [LNK9] enabled at IRQ 11 ACPI: PCI Interrupt 0000:00:02.0[A] -> Link [LNK9] -> GSI 11 (level, low) -> IRQ 11 ohci_hcd 0000:00:02.0: OHCI Host Controller ohci_hcd 0000:00:02.0: new USB bus registered, assigned bus number 1 ohci_hcd 0000:00:02.0: irq 11, io mem 0xe2001000 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 4 ports detected ACPI: PCI Interrupt Link [LNK5] enabled at IRQ 11 ACPI: PCI Interrupt 0000:00:06.0[A] -> Link [LNK5] -> GSI 11 (level, low) -> IRQ 11 ohci_hcd 0000:00:06.0: OHCI Host Controller ohci_hcd 0000:00:06.0: new USB bus registered, assigned bus number 2 ohci_hcd 0000:00:06.0: irq 11, io mem 0xe2003000 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 4 ports detected usb 1-2: new full speed USB device using ohci_hcd and address 2 usb 1-2: configuration #1 chosen from 1 choice hub 1-2:1.0: USB hub found hub 1-2:1.0: 4 ports detected ACPI: Power Button (FF) [PWRF] ACPI: Sleep Button (FF) [SLPF] ACPI: Power Button (CM) [PWRB] ACPI: Sleep Button (CM) [SLPB] ibm_acpi: ec object not found md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. EXT3 FS on dm-0, internal journal kjournald starting. Commit interval 5 seconds EXT3 FS on hda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev hda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Adding 786424k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:786424k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack audit(1143945599.518:2): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:3): avc: denied { recvfrom } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:4): avc: denied { sendto } for pid=1602 comm="portmap" scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143945599.518:5): avc: denied { recvfrom } for pid=1602 comm="portmap" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts Bluetooth: Core ver 2.8 NET: Registered protocol family 31 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP ver 2.8 Bluetooth: L2CAP socket layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM ver 1.7 SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts parport: PnPBIOS parport detected. parport0: PC-style at 0x378, irq 7 [PCSPP,EPP] lp0: using parport0 (interrupt-driven). lp0: console ready NET: Registered protocol family 10 lo: Disabled Privacy Extensions IPv6 over IPv4 tunneling driver device 163c:3052 is grabbed by driver serial: try to release ACPI: PCI interrupt for device 0000:00:0d.0 disabled slamr: SmartLink AMRMO modem. slamr: probe 163c:3052 SL1900 card... ACPI: PCI Interrupt 0000:00:0d.0[A] -> Link [LNK2] -> GSI 10 (level, low) -> IRQ 10 slamr: slamr0 is SL1900 card. Thank you for your time and help, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From sundaram at fedoraproject.org Sun Apr 2 01:59:41 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sun, 02 Apr 2006 07:29:41 +0530 Subject: changed selinux to permissive get new avcs In-Reply-To: <20060402015627.5315.qmail@web52607.mail.yahoo.com> References: <20060402015627.5315.qmail@web52607.mail.yahoo.com> Message-ID: <1143943181.3783.31.camel@sundaram.pnq.redhat.com> On Sat, 2006-04-01 at 17:56 -0800, Antonio Olivares wrote: > Dear all, > As I had some previous trouble with selinux, and > have gotten little to no advice, I read through the > fedora wiki, and fedora selinux-faq and previous > knowlege/advice from fedora-list Can you state what trouble you had specifically? Rahul From olivares14031 at yahoo.com Sun Apr 2 02:11:34 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sat, 1 Apr 2006 18:11:34 -0800 (PST) Subject: changed selinux to permissive get new avcs In-Reply-To: <1143943181.3783.31.camel@sundaram.pnq.redhat.com> Message-ID: <20060402021135.97963.qmail@web52606.mail.yahoo.com> --- Rahul Sundaram wrote: > On Sat, 2006-04-01 at 17:56 -0800, Antonio Olivares > wrote: > > Dear all, > > As I had some previous trouble with selinux, > and > > have gotten little to no advice, I read through > the > > fedora wiki, and fedora selinux-faq and previous > > knowlege/advice from fedora-list > > Can you state what trouble you had specifically? > > Rahul > > Ok here we go, I sent these messages to fedora-selinux-list as shown ------------------------------ Message: 6 Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST) From: Antonio Olivares Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 To: fedora-selinux-list at redhat.com Message-ID: <20060401085147.91904.qmail at web52610.mail.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" Dear all, I decided to install latest FC4 kernel 2.6.16-1.2069_FC4 or so. Upon booting I can no longer surf the internet. I get some avc denied messages from dmesg. How can I fix this issue? I do not want to disable selinux. TIA, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- A non-text attachment was scrubbed... Name: dmesg-selinux04012006.log Type: text/x-log Size: 15583 bytes Desc: 4111971101-dmesg-selinux04012006.log Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20060401/45456085/dmesg-selinux04012006.bin ------------------------------ Message: 1 Date: Sat, 1 Apr 2006 09:57:40 -0800 (PST) From: Antonio Olivares Subject: Re: nfs avc messages with kernel-2.6.16-1.2069_FC4 To: fedora-selinux-list at redhat.com Message-ID: <20060401175740.57441.qmail at web52601.mail.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 RE: nfs avc messages with kernel-2.6.16-1.2069_FC4 Message: 6 Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST) From: Antonio Olivares Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 To: fedora-selinux-list at redhat.com Message-ID: <20060401085147.91904.qmail at web52610.mail.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" Dear all, I decided to install latest FC4 kernel 2.6.16-1.2069_FC4 or so. Upon booting I can no longer surf the internet. I get some avc denied messages from dmesg. How can I fix this issue? I do not want to disable selinux. TIA, Antonio ====================================================== Here are the avc's. Since they were not present in the previous email to fedora-selinux-list at redhat.com I do not want to disable selinux to be able to surf the internet. How can I take care of this? I appreciate all comments/help I can get. SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack audit(1143912938.407:2): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143912938.447:3): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association audit(1143912938.463:4): avc: denied { sendto } for pid=1620 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association Also on another machine I installed kernel-2.6.16.1 to an FC3 machine with selinux disabled and I tried to reenable it since this kernel comes with selinux in its options and i compiled it in. Yet when I rebooted it gave me a kernel panic that no policy was in place. How should I define such a policy? Is there a tarball somewhere that I can get, or suggestions since FC3 is in legacy already? Regards, Antonio -------------------------------------------------- I have just set Selinux to permissive mode and I have just submitted those new avc's. I just need a little bit of help cause I just do not want to give up on SELinux. I want to set it back to enforce but I need to take care of those issues and learn how to tackle them. Thanks for helping, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From steve at szmidt.org Sun Apr 2 02:46:08 2006 From: steve at szmidt.org (steve szmidt) Date: Sat, 1 Apr 2006 21:46:08 -0500 Subject: Plugins for Firefox and others common programs disallowed access In-Reply-To: <442F1353.9030501@grifent.com> References: <442EF502.2000202@grifent.com> <1143931579.3783.18.camel@sundaram.pnq.redhat.com> <442F1353.9030501@grifent.com> Message-ID: <200604012146.08389.steve@szmidt.org> On Saturday 01 April 2006 18:57, John Griffiths wrote: > !DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> > html> > head> > meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> > /head> John, please do not use HTML in email to the list. -- Steve Szmidt "For evil to triumph all that is needed is for good men to do nothing. Edmund Burke From bobk at ocf.berkeley.edu Sun Apr 2 05:23:19 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Sat, 01 Apr 2006 21:23:19 -0800 Subject: changed selinux to permissive get new avcs In-Reply-To: <20060402015627.5315.qmail@web52607.mail.yahoo.com> References: <20060402015627.5315.qmail@web52607.mail.yahoo.com> Message-ID: <1143955399.2135.3.camel@chaucer> On Sat, 2006-04-01 at 17:56 -0800, Antonio Olivares wrote: > Dear all, > As I had some previous trouble with selinux, and > have gotten little to no advice, I read through the > fedora wiki, and fedora selinux-faq and previous > knowlege/advice from fedora-list > > I did a ./touchrelabel and reboot. That should be: touch /.autorelabel Then reboot. Bob -- Bob Kashani http://www.gnome.org/~bobk/ From craigwhite at azapple.com Sun Apr 2 05:37:47 2006 From: craigwhite at azapple.com (Craig White) Date: Sat, 01 Apr 2006 22:37:47 -0700 Subject: changed selinux to permissive get new avcs In-Reply-To: <20060402021135.97963.qmail@web52606.mail.yahoo.com> References: <20060402021135.97963.qmail@web52606.mail.yahoo.com> Message-ID: <1143956267.1432.123.camel@lin-workstation.azapple.com> On Sat, 2006-04-01 at 18:11 -0800, Antonio Olivares wrote: > > --- Rahul Sundaram wrote: > > > On Sat, 2006-04-01 at 17:56 -0800, Antonio Olivares > > wrote: > > > Dear all, > > > As I had some previous trouble with selinux, > > and > > > have gotten little to no advice, I read through > > the > > > fedora wiki, and fedora selinux-faq and previous > > > knowlege/advice from fedora-list > > > > Can you state what trouble you had specifically? > > > > Rahul > > > > > Ok here we go, I sent these messages to > fedora-selinux-list as shown > > ------------------------------ > > Message: 6 > Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST) > From: Antonio Olivares > Subject: nfs avc messages with > kernel-2.6.16-1.2069_FC4 > To: fedora-selinux-list at redhat.com > Message-ID: > <20060401085147.91904.qmail at web52610.mail.yahoo.com> > Content-Type: text/plain; charset="iso-8859-1" > > Dear all, > I decided to install latest FC4 kernel > 2.6.16-1.2069_FC4 or so. Upon booting I can no longer > surf the internet. I get some avc denied messages > from dmesg. How can I fix this issue? > > I do not want to disable selinux. > > TIA, > > Antonio > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: dmesg-selinux04012006.log > Type: text/x-log > Size: 15583 bytes > Desc: 4111971101-dmesg-selinux04012006.log > Url : > https://www.redhat.com/archives/fedora-selinux-list/attachments/20060401/45456085/dmesg-selinux04012006.bin > > ------------------------------ > > > Message: 1 > Date: Sat, 1 Apr 2006 09:57:40 -0800 (PST) > From: Antonio Olivares > Subject: Re: nfs avc messages with > kernel-2.6.16-1.2069_FC4 > To: fedora-selinux-list at redhat.com > Message-ID: > <20060401175740.57441.qmail at web52601.mail.yahoo.com> > Content-Type: text/plain; charset=iso-8859-1 > > > RE: nfs avc messages with kernel-2.6.16-1.2069_FC4 > > Message: 6 > Date: Sat, 1 Apr 2006 00:51:47 -0800 (PST) > From: Antonio Olivares > Subject: nfs avc messages with > kernel-2.6.16-1.2069_FC4 > To: fedora-selinux-list at redhat.com > Message-ID: > <20060401085147.91904.qmail at web52610.mail.yahoo.com> > Content-Type: text/plain; charset="iso-8859-1" > > Dear all, > I decided to install latest FC4 kernel > 2.6.16-1.2069_FC4 or so. Upon booting I can no longer > surf the internet. I get some avc denied messages > from dmesg. How can I fix this issue? > > I do not want to disable selinux. > > TIA, > > Antonio > > ====================================================== > > Here are the avc's. Since they were not present in > the previous email to fedora-selinux-list at redhat.com > > I do not want to disable selinux to be able to surf > the internet. How can I take care of this? > > I appreciate all comments/help I can get. > > SELinux: initialized (dev binfmt_misc, type > binfmt_misc), uses genfs_contexts > ip_tables: (C) 2000-2006 Netfilter Core Team > Netfilter messages via NETLINK v0.30. > ip_conntrack version 2.4 (3071 buckets, 24568 max) - > 232 bytes per conntrack > audit(1143912938.407:2): avc: denied { sendto } for > pid=1620 comm="rpc.statd" > scontext=system_u:system_r:rpcd_t > tcontext=system_u:object_r:unlabeled_t > tclass=association > audit(1143912938.447:3): avc: denied { sendto } for > pid=1620 comm="rpc.statd" > scontext=system_u:system_r:rpcd_t > tcontext=system_u:object_r:unlabeled_t > tclass=association > audit(1143912938.463:4): avc: denied { sendto } for > pid=1620 comm="rpc.statd" > scontext=system_u:system_r:rpcd_t > tcontext=system_u:object_r:unlabeled_t > tclass=association > > > Also on another machine > I installed kernel-2.6.16.1 to an FC3 machine with > selinux disabled and I tried to reenable it since this > kernel comes with selinux in its options and i > compiled it in. Yet when I rebooted it gave me a > kernel panic that no policy was in place. How should > I define such a policy? Is there a tarball somewhere > that I can get, or suggestions since FC3 is in legacy > already? > > Regards, > > Antonio > > -------------------------------------------------- > > I have just set Selinux to permissive mode and I have > just submitted those new avc's. I just need a little > bit of help cause I just do not want to give up on > SELinux. I want to set it back to enforce but I need > to take care of those issues and learn how to tackle > them. > > Thanks for helping, ---- maybe I'm dense but the only thing I saw was the same avc denied several times for rpc.statd which relates to nfs but has nothing to do with web browsing/internet. are you saying that web browsing is working in permissive mode and not working in targeted/enforcing mode? Craig From olivares14031 at yahoo.com Sun Apr 2 16:22:16 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sun, 2 Apr 2006 09:22:16 -0700 (PDT) Subject: changed selinux to permissive get new avcs (Solved) Message-ID: <20060402162216.82658.qmail@web52610.mail.yahoo.com> % parts of message removed >That should be: > >touch /.autorelabel > >Then reboot. > >Bob > >-- >Bob Kashani >---- Ok, Problem has been solved. Here's what I did, I yum updated selinux* [olivares at localhost ~]$ su - Password: [root at localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-strict-sources-1.27.1-2.27.noarch.rpm: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: [olivares at localhost ~]$ su - Password: [root at localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-strict-sources-1.27.1-2.27.noarch.rpm: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: [olivares at localhost ~]$ su - Password: [root at localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-strict-sources-1.27.1-2.27.noarch.rpm: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: [olivares at localhost ~]$ su - Password: [root at localhost ~]# yum update selinux* Setting up Update Process Setting up repositories updates-released 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 base 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 387 kB 01:24 updates-re: ################################################## 1075/1075 Added 1075 new packages, deleted 0 old in 12.94 seconds primary.xml.gz 100% |=========================| 1.2 MB 04:25 extras : ################################################## 3482/3482 Added 3482 new packages, deleted 0 old in 33.80 seconds primary.xml.gz 100% |=========================| 824 kB 03:40 base : ################################################## 2772/2772 Added 2772 new packages, deleted 0 old in 23.76 seconds Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for selinux-policy-strict-sources to pack into transaction set. http://klid.dk/homeftp/fedora/linux/core/updates/4/i386/selinux-policy-strict-sources-1.27.1-2.27.noarch.rpm: [Errno 4] IOError: HTTP Error 403: Date: Sun, 02 Apr 2006 04:12:44 GMT Server: Apache/2.0.54 (Mandriva Linux/PREFORK-13.2.20060mdk) Vary: accept-language,accept-charset Accept-Ranges: bytes Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Content-Language: en Trying other mirror. selinux-policy-strict-sou 100% |=========================| 124 kB 00:09 ---> Package selinux-policy-strict-sources.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-strict to pack into transaction set. selinux-policy-strict-1.2 100% |=========================| 47 kB 00:04 ---> Package selinux-policy-strict.noarch 0:1.27.1-2.27 set to be updated ---> Downloading header for selinux-policy-targeted-sources to pack into transaction set. selinux-policy-targeted-s 100% |=========================| 93 kB 00:07 ---> Package selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 set to be updated ---> Downloading header for selinux-policy-targeted to pack into transaction set. selinux-policy-targeted-1 100% |=========================| 50 kB 00:04 ---> Package selinux-policy-targeted.noarch 0:1.27.1-2.22 set to be updated --> Running transaction check Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: selinux-policy-strict noarch 1.27.1-2.27 updates-released 1.9 M selinux-policy-strict-sources noarch 1.27.1-2.27 updates-released 378 k selinux-policy-targeted noarch 1.27.1-2.22 updates-released 924 k selinux-policy-targeted-sources noarch 1.27.1-2.22 updates-released 281 k Transaction Summary ============================================================================= Install 0 Package(s) Update 4 Package(s) Remove 0 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: (1/4): selinux-policy-str 100% |=========================| 378 kB 01:05 (2/4): selinux-policy-str 100% |=========================| 1.9 MB 06:47 (3/4): selinux-policy-tar 100% |=========================| 281 kB 00:48 (4/4): selinux-policy-tar 100% |=========================| 924 kB 03:03 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : selinux-policy-targeted ######################### [1/8] Updating : selinux-policy-strict ######################### [2/8] Updating : selinux-policy-strict-source ######################### [3/8] Updating : selinux-policy-targeted-sour ######################### [4/8] /etc/selinux/targeted/contexts/files/file_contexts: line 621 has invalid contex t system_u:object_r:acct_exec_t /sbin/restorecon reset /usr/bin/iiimx context system_u:object_r:i18n_input_exec_t->system_u:object_r:bin_t ********** Lots more messages ommitted ************* l_t->system_u:object_r:var_spool_t /sbin/restorecon reset /var/spool/postfix/saved context system_u:object_r:mail_spool_t->system_u:object_r:var_spool_t /sbin/restorecon reset /var/spool/postfix/deferred context system_u:object_r:mail_spool_t->system_u:object_r:var_spool_t Cleanup : selinux-policy-strict-source ######################### [5/8] Cleanup : selinux-policy-strict ######################### [6/8] Cleanup : selinux-policy-targeted-sour ######################### [7/8] Cleanup : selinux-policy-targeted ######################### [8/8] Updated: selinux-policy-strict.noarch 0:1.27.1-2.27 selinux-policy-strict-sources.noarch 0:1.27.1-2.27 selinux-policy-targeted.noarch 0:1.27.1-2.22 selinux-policy-targeted-sources.noarch 0:1.27.1-2.22 Complete! [root at localhost ~]# Did a touch /.autorelabel as Bob put it correctly, set selinux back to enforcing and rebooted. I crossed my fingers and voila, it worked!!! Thanks to all who responded and helped. >maybe I'm dense but the only thing I saw was the same avc >denied several times for rpc.statd which relates to nfs but has nothing to do with web browsing/internet. > >are you saying that web browsing is working in >permissive mode and not >working in targeted/enforcing mode? > >Craig That was the case Craig, but now all is well. Here's part of the new avcs that I got after touch ./autorelabel SELinux: initialized (dev hda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1143993007.681:2): avc: granted { setenforce } for pid=545 comm="rc.sysinit" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=security audit(1143993803.490:3): avc: granted { setenforce } for pid=545 comm="rc.sysinit" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=security Adding 786424k swap on /dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:786424k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (3071 buckets, 24568 max) - 232 bytes per conntrack SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts Now they were granted and all is well. Best Regards, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From tdiehl at rogueind.com Sun Apr 2 18:01:58 2006 From: tdiehl at rogueind.com (Tom Diehl) Date: Sun, 2 Apr 2006 14:01:58 -0400 (EDT) Subject: samba, kerberos, winbind and W2K3 avc messages Message-ID: Hi all, I have a fully updated FC4 machine that I am trying to get samba and winbind working with selinux in enforcing mode. I would appreciate it if someone could look at the avc messages below and help me understand what they mean and how to fix the machine. When I start up samba and winbind I get the following avc messages: Apr 2 11:06:45 backup kernel: audit(1143990405.799:54): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.807:55): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.811:56): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.815:57): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.819:58): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.823:59): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file ... When I try to browse the samba shares from the w2k3 server I get the following messages: ==> messages <== Apr 2 11:09:35 backup kernel: audit(1143990575.906:161): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:09:35 backup kernel: audit(1143990575.910:162): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file ==> samba/sommer1.log <== [2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324) ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code) [2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324) ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code) [2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! If I disable selinux everything works as it should. Regards, Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From hburde at t-online.de Sun Apr 2 17:12:24 2006 From: hburde at t-online.de (Holger Burde) Date: Sun, 02 Apr 2006 19:12:24 +0200 Subject: strongswan problem Message-ID: <1143997944.15842.14.camel@marvin.burde-consulting.de> Hi; I have a problem running strongswan (userland/ = pluto daemon) on my FC4 box with SELinux enabled. [root at marvin strongswan-2.6.3]# ipsec setup start ipsec_setup: Starting strongSwan IPsec U2.6.3/K2.6.16-1.2069_FC4... ipsec_setup: Cannot talk to rtnetlink: Invalid argument ipsec_setup: Cannot talk to rtnetlink: Invalid argument With setenforce 0 everything works fine. I looked through the policy and found only a partial (or my installation is borken?) ipsec policy. domains/programs has no ipsec.te and ipsec.fc is there. Do i have to create the ipsec policy (te) from scratch or is there something to use (modify) ? Policy Version: selinux-policy-targeted-sources-1.27.1-2.22 selinux-policy-targeted-1.27.1-2.22 thx in advance -- --- -- - Dipl. Inform. H. Burde EMail : | From par.aronsson at bredband.net Mon Apr 3 05:42:41 2006 From: par.aronsson at bredband.net (=?iso-8859-1?q?P=E4r_Aronsson?=) Date: Mon, 3 Apr 2006 07:42:41 +0200 Subject: SELinux overview on line. In-Reply-To: <442A9F79.6010309@redhat.com> References: <442A9F79.6010309@redhat.com> Message-ID: <200604030742.41911.par.aronsson@bredband.net> This is a great piece Dan. Is there any way to download it so that it can be shown offline? P?r Aronsson onsdag 29 mars 2006 16:53 skrev Daniel J Walsh: > http://www.redhat.com/v/swf/SELinux/ > > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From paul at city-fan.org Mon Apr 3 07:12:59 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 03 Apr 2006 08:12:59 +0100 Subject: Overriding default file contexts? In-Reply-To: References: Message-ID: <1144048380.11818.4.camel@laurel.intra.city-fan.org> On Sat, 2006-04-01 at 15:47 -0600, Ian Pilcher wrote: > Perhaps there's a way to do this, and I simply don't know it. > > I just finished manually relabeling the Acrobat Reader libraries and > plug-ins. Of course, if I ever have to relabel my filesystem, I'll have > to do this again. > > Wouldn't it be nice if I could put file in a directory, .file_contexts > for example, give it a special context (file_context_t?) which would > never be changed, and specify contexts that would override the policy > default contexts. > > It sure seems like this could save some pain. You can do this with semanage (FC5) rather than a separate file. # semanage fcontext -a -t textrel_shlib_t '/path/to/acroread/lib.*' The last parameter is a regex that matches the libraries you want to label with textrel_shlib_t. You can use multiple semanage calls if necessary. Paul. From sds at tycho.nsa.gov Mon Apr 3 13:01:17 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 03 Apr 2006 09:01:17 -0400 Subject: Sharing partitions between FC4 and FC5 In-Reply-To: <200604010942.k319gTJh026285@tiffany.internal.tigress.co.uk> References: <200604010942.k319gTJh026285@tiffany.internal.tigress.co.uk> Message-ID: <1144069277.9028.5.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2006-04-01 at 10:42 +0100, Ron Yorston wrote: > I've installed FC5 alongside FC4. Initially I just gave FC5 its own > /, /var and /usr partitions but then edited /etc/fstab to add partitions > that I want to share between FC4 and FC5: things like /home and /opt. > For each OS I use a different login with separate home directories. > This avoids problems with GNOME configurations and the like. > > Then I rebooted into FC5 and forced a relabel. FC5 works fine but I'm > now unable to login to the GNOME desktop in FC4 unless I set enforcing=0 > on boot. When I do that the log rapidly fills up with lines like: > > Apr 1 10:30:24 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352500 > > I'll attach the log messages I get when I try to login with SELinux > in enforcing mode. A MLS compatibility patch went into Linux 2.6.15 and was back ported to one of the FC4 kernel updates. Is your FC4 kernel updated? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Apr 3 13:02:41 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 03 Apr 2006 09:02:41 -0400 Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 In-Reply-To: <20060401085147.91904.qmail@web52610.mail.yahoo.com> References: <20060401085147.91904.qmail@web52610.mail.yahoo.com> Message-ID: <1144069361.9028.8.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2006-04-01 at 00:51 -0800, Antonio Olivares wrote: > Dear all, > I decided to install latest FC4 kernel > 2.6.16-1.2069_FC4 or so. Upon booting I can no longer > surf the internet. I get some avc denied messages > from dmesg. How can I fix this issue? > > I do not want to disable selinux. Can you post the avc messages (or just the first few if there are many repeats)? You can use audit2allow to temporarily generate allow rules for the denials until a policy update is issued, although it isn't always what you want to do. See the EXAMPLE section of the audit2allow man page. -- Stephen Smalley National Security Agency From txtoth at gmail.com Mon Apr 3 13:08:29 2006 From: txtoth at gmail.com (Xavier Toth) Date: Mon, 3 Apr 2006 08:08:29 -0500 Subject: fc5 useradd in rpm not working Message-ID: A useradd that I have in an RPM I'm developing doesn't work. I can however run it from the command line. Can anyone give me an idea of what the difference is and how I can correct my RPM? -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Mon Apr 3 13:14:33 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 03 Apr 2006 09:14:33 -0400 Subject: nfs avc messages with kernel-2.6.16-1.2069_FC4 In-Reply-To: <1144069361.9028.8.camel@moss-spartans.epoch.ncsc.mil> References: <20060401085147.91904.qmail@web52610.mail.yahoo.com> <1144069361.9028.8.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144070073.9028.10.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-03 at 09:02 -0400, Stephen Smalley wrote: > On Sat, 2006-04-01 at 00:51 -0800, Antonio Olivares wrote: > > Dear all, > > I decided to install latest FC4 kernel > > 2.6.16-1.2069_FC4 or so. Upon booting I can no longer > > surf the internet. I get some avc denied messages > > from dmesg. How can I fix this issue? > > > > I do not want to disable selinux. > > Can you post the avc messages (or just the first few if there are many > repeats)? You can use audit2allow to temporarily generate allow rules > for the denials until a policy update is issued, although it isn't > always what you want to do. See the EXAMPLE section of the audit2allow > man page. Sorry - I see that you did in fact attach them. The denials in this case were due to new IPSEC-related SELinux controls that went into 2.6.16, introduced by IBM, so you did need an updated policy, as you discovered. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Apr 3 13:24:09 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 03 Apr 2006 09:24:09 -0400 Subject: Small bug in apache.fc In-Reply-To: <442F099E.4070600@ip-solutions.net> References: <442F099E.4070600@ip-solutions.net> Message-ID: <1144070649.9028.17.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote: > Hi, > > apache.fc allows for webroot location to be under /srv but selinux > currently stops apache from searching under /srv (at least this seems to > be the case to me, but I'm fairly new to selinux). > > From: file_contexts/program/apache.fc > /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t > > a ls -lZ of / shows: > drwxr-xr-x root root system_u:object_r:default_t srv > > running audit2allow -i /var/log/messages shows: > allow httpd_t default_t:dir search; > > adding a local.te policy with: > allow httpd_t default_t:dir search; > > fixes the problem and allows httpd to start without issue. Better to put a different type on /srv, so that you don't have to expose otherwise unspecified directories to searching by httpd. -- Stephen Smalley National Security Agency From mjs at ces.clemson.edu Mon Apr 3 13:47:31 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Mon, 3 Apr 2006 09:47:31 -0400 (EDT) Subject: VMware Workstation in FC5 Message-ID: Running vmware workstation in FC5 with selinux-policy-targeted-2.2.25-2.fc5 produces the error: $ vmware /usr/lib/vmware/bin/vmware: error while loading shared libraries: /usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0: cannot restore segment prot after reloc: Permission denied and the AVC: Apr 3 09:38:05 kernel: audit(1144071485.547:433): avc: denied { execmod } for pid=21419 comm="vmware" name="libgdk-x11-2.0.so.0" dev=dm-0 ino=1343530 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From mjs at ces.clemson.edu Mon Apr 3 13:48:14 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Mon, 3 Apr 2006 09:48:14 -0400 (EDT) Subject: ping redirect Message-ID: This was mentioned on fedora-list, but I don't think the OP is interested in posting here. "ping > foo" as a normal user produces AVC: Apr 3 09:41:20 vincent52 kernel: audit(1144071680.338:437): avc: denied { write } for pid=21467 comm="ping" name="foo" dev=dm-4 ino=2195784 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file In a gterm, it just hangs. On a VC, ping exits with an error. This is FC5 with selinux-policy-targeted-2.2.25-2.fc5. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From i.pilcher at comcast.net Mon Apr 3 13:51:53 2006 From: i.pilcher at comcast.net (Ian Pilcher) Date: Mon, 03 Apr 2006 08:51:53 -0500 Subject: Overriding default file contexts? In-Reply-To: <1144048380.11818.4.camel@laurel.intra.city-fan.org> References: <1144048380.11818.4.camel@laurel.intra.city-fan.org> Message-ID: Paul Howarth wrote: > > You can do this with semanage (FC5) rather than a separate file. > > # semanage fcontext -a -t textrel_shlib_t '/path/to/acroread/lib.*' > After testing that command with one of the Acrobat libraries, 'restorecon -nv ...' still wants to change its type back to lib_t. So it doesn't appear to be any more permanent that chcon. -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From selinux at gmail.com Mon Apr 3 14:31:07 2006 From: selinux at gmail.com (Tom London) Date: Mon, 3 Apr 2006 07:31:07 -0700 Subject: VMware Workstation in FC5 In-Reply-To: References: Message-ID: <4c4ba1530604030731p5df89167v5c1be67e6224596b@mail.gmail.com> On 4/3/06, Matthew Saltzman wrote: > Running vmware workstation in FC5 with selinux-policy-targeted-2.2.25-2.fc5 > produces the error: > > $ vmware > /usr/lib/vmware/bin/vmware: error while loading shared libraries: > /usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0: cannot > restore segment prot after reloc: Permission denied > > and the AVC: > > Apr 3 09:38:05 kernel: audit(1144071485.547:433): avc: denied > { execmod } for pid=21419 comm="vmware" name="libgdk-x11-2.0.so.0" > dev=dm-0 ino=1343530 scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > > -- > Matthew Saltzman > Try chcon -t textrel_shlib_t /usr/lib/vmware/lib/libgdk-x11-2.0.so,0/libgdk-x11-2.0.so.0 tom -- Tom London From sds at tycho.nsa.gov Mon Apr 3 14:36:49 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 03 Apr 2006 10:36:49 -0400 Subject: Overriding default file contexts? In-Reply-To: References: <1144048380.11818.4.camel@laurel.intra.city-fan.org> Message-ID: <1144075009.9028.75.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-03 at 08:51 -0500, Ian Pilcher wrote: > Paul Howarth wrote: > > > > You can do this with semanage (FC5) rather than a separate file. > > > > # semanage fcontext -a -t textrel_shlib_t '/path/to/acroread/lib.*' > > > > After testing that command with one of the Acrobat libraries, > 'restorecon -nv ...' still wants to change its type back to lib_t. So > it doesn't appear to be any more permanent that chcon. Hmmm...it should be. # tail -1 /etc/selinux/targeted/contexts/files/file_contexts # cat /etc/selinux/targeted/modules/active/file_contexts.local -- Stephen Smalley National Security Agency From mjs at ces.clemson.edu Mon Apr 3 14:46:35 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Mon, 3 Apr 2006 10:46:35 -0400 (EDT) Subject: VMware Workstation in FC5 In-Reply-To: <4c4ba1530604030731p5df89167v5c1be67e6224596b@mail.gmail.com> References: <4c4ba1530604030731p5df89167v5c1be67e6224596b@mail.gmail.com> Message-ID: On Mon, 3 Apr 2006, Tom London wrote: > On 4/3/06, Matthew Saltzman wrote: >> Running vmware workstation in FC5 with selinux-policy-targeted-2.2.25-2.fc5 >> produces the error: >> >> $ vmware >> /usr/lib/vmware/bin/vmware: error while loading shared libraries: >> /usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0: cannot >> restore segment prot after reloc: Permission denied >> >> and the AVC: >> >> Apr 3 09:38:05 kernel: audit(1144071485.547:433): avc: denied >> { execmod } for pid=21419 comm="vmware" name="libgdk-x11-2.0.so.0" >> dev=dm-0 ino=1343530 scontext=user_u:system_r:unconfined_t:s0 >> tcontext=system_u:object_r:lib_t:s0 tclass=file >> >> -- >> Matthew Saltzman >> > Try > chcon -t textrel_shlib_t > /usr/lib/vmware/lib/libgdk-x11-2.0.so,0/libgdk-x11-2.0.so.0 Thanks, that did it. Is this something that can go in selinux-policy-targeted, or is it something that VMware needs to take care of? > > tom > -- > Tom London > -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From selinux at gmail.com Mon Apr 3 14:55:16 2006 From: selinux at gmail.com (Tom London) Date: Mon, 3 Apr 2006 07:55:16 -0700 Subject: VMware Workstation in FC5 In-Reply-To: References: <4c4ba1530604030731p5df89167v5c1be67e6224596b@mail.gmail.com> Message-ID: <4c4ba1530604030755h30631a0bwb26b02e16e366b04@mail.gmail.com> On 4/3/06, Matthew Saltzman wrote: > On Mon, 3 Apr 2006, Tom London wrote: > > > On 4/3/06, Matthew Saltzman wrote: > > Try > > chcon -t textrel_shlib_t > > /usr/lib/vmware/lib/libgdk-x11-2.0.so,0/libgdk-x11-2.0.so.0 > > Thanks, that did it. Is this something that can go in > selinux-policy-targeted, or is it something that VMware needs to take care > of? > > -- > Matthew Saltzman > 'We' are missing a policy for vmware. I've been too busy to write one, and vmware seems uninterested.... tom -- Tom London From rdieter at math.unl.edu Mon Apr 3 15:17:24 2006 From: rdieter at math.unl.edu (Rex Dieter) Date: Mon, 03 Apr 2006 10:17:24 -0500 Subject: fc5 useradd in rpm not working In-Reply-To: References: Message-ID: Xavier Toth wrote: > A useradd that I have in an RPM I'm developing doesn't work. I can > however run it from the command line. Can anyone give me an idea of what > the difference is and how I can correct my RPM? AFAIK, no one here is a mind-reader, so more information please. (-: For example, what is the command you're trying to use? I assume it's in the %%post scriptlet? -- Rex From sds at tycho.nsa.gov Mon Apr 3 15:28:49 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 03 Apr 2006 11:28:49 -0400 Subject: Overriding default file contexts? In-Reply-To: <44313B0C.7080400@comcast.net> References: <1144048380.11818.4.camel@laurel.intra.city-fan.org> <1144075009.9028.75.camel@moss-spartans.epoch.ncsc.mil> <44313B0C.7080400@comcast.net> Message-ID: <1144078129.9028.106.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-03 at 10:11 -0500, Ian Pilcher wrote: > So 'semanage fcontext ...' is simply an interface to modify the policy > contexts/files/file_contexts? This is going to result in an rpmnew > file whenever the policy is updated, right? No. That file is no longer provided by the policy package directly; it is generated by libsemanage each time upon updates, and even policy updates go through libsemanage now. libsemanage merges local additions (stored separately in the file_contexts.local file in the modules/active/ subdirectory) with the policy-provided file into the final file before installing it. > It's just my opinion, but I think it would be very convenient for system > administrators and packagers to have a simple mechanism to override the > policy for specific files. Yes, that's what semanage fcontext -a is for. Or under FC4, you could manually create and edit a /etc/selinux/targeted/contexts/file/file_contexts.local file. -- Stephen Smalley National Security Agency From suman.nari at gmail.com Mon Apr 3 15:25:54 2006 From: suman.nari at gmail.com (Suman B) Date: Mon, 3 Apr 2006 20:55:54 +0530 Subject: Problem while writing the new policy Message-ID: <63889910604030825m2c99729fr81a88fd1f9843b03@mail.gmail.com> Hi, I am a newbie to selinux. I would like to write a new policy and want to ensure that the policy is working. I saw in some web pages, that i have to write a policy file and to keep in /etc/selinux/src/ , but there is no such directory. What are the steps i have to follow for writing the policy. and give me a small exampl with which i can create a new policy. Thanks in advance. Regards, Suman.B -------------- next part -------------- An HTML attachment was scrubbed... URL: From orion at cora.nwra.com Mon Apr 3 15:45:54 2006 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 03 Apr 2006 09:45:54 -0600 Subject: How to start up an unconfined service Message-ID: I'm running SGE (Sun Grid Engine) and the daemon is now starting up in the initrc_t domain. I really need it to be unconfined (I believe) as it can really do just about anything. How can I do this? Thanks! - Orion From dwalsh at redhat.com Mon Apr 3 16:19:30 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Apr 2006 12:19:30 -0400 Subject: How to start up an unconfined service In-Reply-To: References: Message-ID: <44314B12.3070904@redhat.com> Orion Poplawski wrote: > I'm running SGE (Sun Grid Engine) and the daemon is now starting up in > the initrc_t domain. I really need it to be unconfined (I believe) as > it can really do just about anything. How can I do this? > In targeted policy initrc_t is unconfined. I believe you could also chcon -t unconfined_exec_t DAEMONPATH to get the transition > Thanks! > > - Orion > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From rmy at tigress.co.uk Mon Apr 3 17:31:07 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Mon, 3 Apr 2006 18:31:07 +0100 (BST) Subject: Sharing partitions between FC4 and FC5 Message-ID: <200604031731.k33HV7q1029163@tiffany.internal.tigress.co.uk> Stephen Smalley wrote: >A MLS compatibility patch went into Linux 2.6.15 and was back ported to >one of the FC4 kernel updates. Is your FC4 kernel updated? I think I'm entirely up to date: # uname -r 2.6.16-1.2069_FC4 # rpm -qa | grep selinux selinux-policy-targeted-1.27.1-2.22 libselinux-devel-1.23.11-1.1 libselinux-1.23.11-1.1 Ron From Axel.Thimm at ATrpms.net Mon Apr 3 17:11:34 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Mon, 3 Apr 2006 19:11:34 +0200 Subject: Packaging hotfixes Message-ID: <20060403171134.GF11930@neu.nirvana> Hi, is there a way to have policy enhancements per packages? I'm asking this because both fedora's and upstream handling of new selinux rules works great, still the upgraded selinux-policy packages need some time to hit the users and while they wait for their nvidia, avidemux, whatever fix, they always seem to need it instantaneously and prefer to turn off selinx altogether instead of waiting for a fix. If there is a way to locally add rules from packages, then the problematic app foo could carry an selinux snippet with itself and install it until the policy package catches up. Or would such a mechanism allow any package to overthrow selinux altogether thus making this more of a security risk than a feature? -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From dwalsh at redhat.com Mon Apr 3 17:57:12 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Apr 2006 13:57:12 -0400 Subject: Small bug in apache.fc In-Reply-To: <1144070649.9028.17.camel@moss-spartans.epoch.ncsc.mil> References: <442F099E.4070600@ip-solutions.net> <1144070649.9028.17.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <443161F8.3040804@redhat.com> Stephen Smalley wrote: > On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote: > >> Hi, >> >> apache.fc allows for webroot location to be under /srv but selinux >> currently stops apache from searching under /srv (at least this seems to >> be the case to me, but I'm fairly new to selinux). >> >> From: file_contexts/program/apache.fc >> /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t >> >> a ls -lZ of / shows: >> drwxr-xr-x root root system_u:object_r:default_t srv >> >> running audit2allow -i /var/log/messages shows: >> allow httpd_t default_t:dir search; >> >> adding a local.te policy with: >> allow httpd_t default_t:dir search; >> >> fixes the problem and allows httpd to start without issue. >> > > Better to put a different type on /srv, so that you don't have to expose > otherwise unspecified directories to searching by httpd. > > /srv should be labeled var_t. Not ideal but it would allow it to work. restorecon /src From hhoffman at ip-solutions.net Mon Apr 3 18:08:05 2006 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Mon, 03 Apr 2006 14:08:05 -0400 Subject: Small bug in apache.fc In-Reply-To: <443161F8.3040804@redhat.com> References: <442F099E.4070600@ip-solutions.net> <1144070649.9028.17.camel@moss-spartans.epoch.ncsc.mil> <443161F8.3040804@redhat.com> Message-ID: <44316485.9030309@ip-solutions.net> Hi, I'm happy to setup /srv to be var_t for the time being. Two questions: 1) if this isn't a ideal way of solving the problem is there a better way? 2) will whatever the solution become be merged into the policies that RHAS/Fedora/Centos/etc. use? Thanks, Harry -- Harry Hoffman Integrated Portable Solutions, LLC 877.846.5927 ext 1000 http://www.ip-solutions.net/ Daniel J Walsh wrote: > Stephen Smalley wrote: >> On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote: >> >>> Hi, >>> >>> apache.fc allows for webroot location to be under /srv but selinux >>> currently stops apache from searching under /srv (at least this seems to >>> be the case to me, but I'm fairly new to selinux). >>> >>> From: file_contexts/program/apache.fc >>> /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t >>> >>> a ls -lZ of / shows: >>> drwxr-xr-x root root system_u:object_r:default_t srv >>> >>> running audit2allow -i /var/log/messages shows: >>> allow httpd_t default_t:dir search; >>> >>> adding a local.te policy with: >>> allow httpd_t default_t:dir search; >>> >>> fixes the problem and allows httpd to start without issue. >>> >> >> Better to put a different type on /srv, so that you don't have to expose >> otherwise unspecified directories to searching by httpd. >> >> > /srv should be labeled var_t. Not ideal but it would allow it to work. > > restorecon /src From dwalsh at redhat.com Mon Apr 3 18:29:46 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Apr 2006 14:29:46 -0400 Subject: VMware Workstation in FC5 In-Reply-To: References: <4c4ba1530604030731p5df89167v5c1be67e6224596b@mail.gmail.com> Message-ID: <4431699A.7020401@redhat.com> Matthew Saltzman wrote: > On Mon, 3 Apr 2006, Tom London wrote: > >> On 4/3/06, Matthew Saltzman wrote: >>> Running vmware workstation in FC5 with >>> selinux-policy-targeted-2.2.25-2.fc5 >>> produces the error: >>> >>> $ vmware >>> /usr/lib/vmware/bin/vmware: error while loading shared >>> libraries: >>> /usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0: >>> cannot >>> restore segment prot after reloc: Permission denied >>> >>> and the AVC: >>> >>> Apr 3 09:38:05 kernel: audit(1144071485.547:433): avc: denied >>> { execmod } for pid=21419 comm="vmware" >>> name="libgdk-x11-2.0.so.0" >>> dev=dm-0 ino=1343530 scontext=user_u:system_r:unconfined_t:s0 >>> tcontext=system_u:object_r:lib_t:s0 tclass=file >>> >>> -- >>> Matthew Saltzman >>> >> Try >> chcon -t textrel_shlib_t >> /usr/lib/vmware/lib/libgdk-x11-2.0.so,0/libgdk-x11-2.0.so.0 > > Thanks, that did it. Is this something that can go in > selinux-policy-targeted, or is it something that VMware needs to take > care of? > We can take care of the file context to allow it, but vmware should fix there library to not need it, if possible. http://people.redhat.com/drepper/selinux-mem.html explains what execmod means. Dan >> >> tom >> -- >> Tom London >> > From dwalsh at redhat.com Mon Apr 3 18:31:33 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Apr 2006 14:31:33 -0400 Subject: How to start up an unconfined service In-Reply-To: <44314ED6.9030909@cora.nwra.com> References: <44314B12.3070904@redhat.com> <44314ED6.9030909@cora.nwra.com> Message-ID: <44316A05.1030709@redhat.com> Orion Poplawski wrote: > Daniel J Walsh wrote: >> Orion Poplawski wrote: >>> I'm running SGE (Sun Grid Engine) and the daemon is now starting up >>> in the initrc_t domain. I really need it to be unconfined (I >>> believe) as it can really do just about anything. How can I do this? >>> >> In targeted policy initrc_t is unconfined. I believe you could also >> chcon -t unconfined_exec_t DAEMONPATH >> to get the transition > > Okay, so the problem is with execmod then: > > audit(1144077767.717:1841): avc: denied { execmod } for pid=30457 > comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=hda3 ino=2913756 > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=file > > and: > > audit(1144077181.455:932): avc: denied { execmod } for pid=27638 > comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=dm-2 ino=6300972 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:default_t:s0 tclass=file > > I'm trying to build HDF5-1.7.52 and this is happening during the > make-check phase. The first is doing an rpmbuild as a normal user. > The second is with mock started by SGE. > You can turn off this check by setting allow_execmod boolean. setsebool -P allow_execmod=1 Or you can label these files with textrel_shlib_t chcon -t textrel_shlib_t libhdf5.so.1.2.1 From dwalsh at redhat.com Mon Apr 3 18:36:51 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Apr 2006 14:36:51 -0400 Subject: Packaging hotfixes In-Reply-To: <20060403171134.GF11930@neu.nirvana> References: <20060403171134.GF11930@neu.nirvana> Message-ID: <44316B43.7050901@redhat.com> Axel Thimm wrote: > Hi, > > is there a way to have policy enhancements per packages? I'm asking > this because both fedora's and upstream handling of new selinux rules > works great, still the upgraded selinux-policy packages need some time > to hit the users and while they wait for their nvidia, avidemux, > whatever fix, they always seem to need it instantaneously and prefer > to turn off selinx altogether instead of waiting for a fix. > > If there is a way to locally add rules from packages, then the > problematic app foo could carry an selinux snippet with itself and > install it until the policy package catches up. > > Or would such a mechanism allow any package to overthrow selinux > altogether thus making this more of a security risk than a feature? > modular policy allows for customization to local policy. You can look at policy generated by audit2allow -M to see this. Most of the problems you are talking about are from libraries requesting more privs then they require execmod. You can change the file context on those files to tell selinux to allow the access. chcon -t textrel_shlib_t LIBRARY http://people.redhat.com/drepper/selinux-mem.html Explains the risks of the exec* accesses. Any time you see this, it should be reported as a problem with SELinux policy but also reported back to the package maintainer, as they might have a problem with their library. Dan > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Apr 3 18:38:07 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Apr 2006 14:38:07 -0400 Subject: fc5: several troubles at my first attempt In-Reply-To: <200603311936.k2VJa24V026095@tiffany.internal.tigress.co.uk> References: <200603311936.k2VJa24V026095@tiffany.internal.tigress.co.uk> Message-ID: <44316B8F.2010109@redhat.com> Ron Yorston wrote: > Stephen Smalley wrote: > >> On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote: >> >>> I have installed current fc5 by http about week or two ago. It updated from rawhide. >>> It currently installed on hda2 and it ran from qemu. >>> >>> I see many avc denied messages in dmesg (repeated 210 times with different pids): >>> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir >>> hda2 here is / >>> >> Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t. >> Need to relabel? >> > > I'm seeing these too. My /var is on a separate partition. Could this be > the cause of the problem? > > Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir > Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal > Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds > Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal > Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode. > Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr > > # df > Filesystem 1K-blocks Used Available Use% Mounted on > /dev/hde3 972564 353452 568912 39% / > /dev/hde8 972532 290180 632152 32% /var > # ls -Zd /var > drwxr-xr-x root root system_u:object_r:var_t /var > # ls -id /var > 2 /var > > Ron > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > What happens when you restorecon -R -v /var From dwalsh at redhat.com Mon Apr 3 18:39:00 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Apr 2006 14:39:00 -0400 Subject: SELinux overview on line. In-Reply-To: <200604030742.41911.par.aronsson@bredband.net> References: <442A9F79.6010309@redhat.com> <200604030742.41911.par.aronsson@bredband.net> Message-ID: <44316BC4.8010401@redhat.com> P?r Aronsson wrote: > This is a great piece Dan. > Is there any way to download it so that it can be shown offline? > I have asked for this, but have gotten no response. If I here how, I will try to make it available. > P?r Aronsson > > onsdag 29 mars 2006 16:53 skrev Daniel J Walsh: > >> http://www.redhat.com/v/swf/SELinux/ >> >> Dan >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From rmy at tigress.co.uk Mon Apr 3 19:34:30 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Mon, 3 Apr 2006 20:34:30 +0100 (BST) Subject: fc5: several troubles at my first attempt Message-ID: <200604031934.k33JYUn4029239@tiffany.internal.tigress.co.uk> Daniel J Walsh wrote: >Ron Yorston wrote: >> Stephen Smalley wrote: >> >>> On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote: >>> >>>> I have installed current fc5 by http about week or two ago. It updated from rawhide. >>>> It currently installed on hda2 and it ran from qemu. >>>> >>>> I see many avc denied messages in dmesg (repeated 210 times with different pids): >>>> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir >>>> hda2 here is / >>>> >>> Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t. >>> Need to relabel? >>> >> >> I'm seeing these too. My /var is on a separate partition. Could this be >> the cause of the problem? >> >> Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir >> Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal >> Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs >> Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds >> Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal >> Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode. >> Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr >> >> # df >> Filesystem 1K-blocks Used Available Use% Mounted on >> /dev/hde3 972564 353452 568912 39% / >> /dev/hde8 972532 290180 632152 32% /var >> # ls -Zd /var >> drwxr-xr-x root root system_u:object_r:var_t /var >> # ls -id /var >> 2 /var >> >> Ron >> >What happens when you > >restorecon -R -v /var > Nothing much. # ls -Zd /var drwxr-xr-x root root system_u:object_r:var_t /var # restorecon -R -v /var restorecon reset /var/log/Xorg.0.log context system_u:object_r:var_log_t->system_u:object_r:xserver_log_t restorecon reset /var/log/xen-hotplug.log context system_u:object_r:var_log_t->system_u:object_r:xend_var_log_t restorecon reset /var/log/Xorg.0.log.old context system_u:object_r:var_log_t->system_u:object_r:xserver_log_t lstat(/var/lib/nfs/rpc_pipefs) failed: Permission denied restorecon reset /var/run/sendmail.pid context system_u:object_r:var_run_t->system_u:object_r:sendmail_var_run_t # ls -Zd /var drwxr-xr-x root root system_u:object_r:var_t /var And rebooting still results in 450 messages like: Apr 3 20:25:04 random kernel: audit(1144092277.317:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir I've tried booting with the FC5 rescue CD. This shows that the /var mount point on hde3 still has the wrong context: sh-3.1# ls -id var 62785 var sh-3.1# ls -Zd var drwxr-xr-x root root system_u:object_r:file_t:s0 var There doesn't seem to be a copy of restorecon on the rescue CD so I wasn't able to change the context of the mount point. Why's pan_console_app trying to access /var before it's been mounted anyway? Ron From klaus at atsec.com Mon Apr 3 20:48:24 2006 From: klaus at atsec.com (Klaus Weidner) Date: Mon, 3 Apr 2006 15:48:24 -0500 Subject: Problem while writing the new policy In-Reply-To: <63889910604030825m2c99729fr81a88fd1f9843b03@mail.gmail.com> References: <63889910604030825m2c99729fr81a88fd1f9843b03@mail.gmail.com> Message-ID: <20060403204824.GA9630@w-m-p.com> On Mon, Apr 03, 2006 at 08:55:54PM +0530, Suman B wrote: > Hi, > I am a newbie to selinux. I would like to write a new policy and want to > ensure that the policy is working. > > I saw in some web pages, that i have to write a policy file and to keep in > /etc/selinux/src/ , but there is no such directory. > > What are the steps i have to follow for writing the policy. and give me a > small exampl with which i can create a new policy. Here's the method I'm using. I think making this easier would help people who want to contribute policies... Get and install the selinux-policy source rpm, and prepare it for build using cd /usr/src/redhat rpmbuild -bp SPECS/selinux-policy.spec Then change to directory /usr/src/redhat/BUILD/serefpolicy-*/, and configure and build the policy you want, something like this (adapted from the spec file): NAME="mls" TYPE="strict-mls" Args="NAME=$NAME TYPE=$TYPE DISTRO=redhat DIRECT_INITRC=n MONOLITHIC=n POLY=n" RPM_SOURCE_DIR=/usr/src/redhat/SOURCES make $Args bare make $Args conf cp -f ${RPM_SOURCE_DIR}/modules-$NAME.conf ./policy/modules.conf cp -f ${RPM_SOURCE_DIR}/booleans-$NAME.conf ./policy/booleans.conf make $Args base.pp make $Args modules make $Args install Be careful, installing a policy different from the one you're currently running will require an autorelabel. -Klaus From Axel.Thimm at ATrpms.net Mon Apr 3 19:16:39 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Mon, 3 Apr 2006 21:16:39 +0200 Subject: Packaging hotfixes In-Reply-To: <44316B43.7050901@redhat.com> References: <20060403171134.GF11930@neu.nirvana> <44316B43.7050901@redhat.com> Message-ID: <20060403191639.GA24961@neu.nirvana> On Mon, Apr 03, 2006 at 02:36:51PM -0400, Daniel J Walsh wrote: > Axel Thimm wrote: > >Hi, > > > >is there a way to have policy enhancements per packages? I'm asking > >this because both fedora's and upstream handling of new selinux rules > >works great, still the upgraded selinux-policy packages need some time > >to hit the users and while they wait for their nvidia, avidemux, > >whatever fix, they always seem to need it instantaneously and prefer > >to turn off selinx altogether instead of waiting for a fix. > > > >If there is a way to locally add rules from packages, then the > >problematic app foo could carry an selinux snippet with itself and > >install it until the policy package catches up. > > > >Or would such a mechanism allow any package to overthrow selinux > >altogether thus making this more of a security risk than a feature? > > > modular policy allows for customization to local policy. You can look > at policy generated by audit2allow -M to see this. Most of the > problems you are talking about are from libraries requesting more privs > then they require execmod. You can change the file context on those > files to tell selinux to allow the access. chcon -t textrel_shlib_t > LIBRARY > > http://people.redhat.com/drepper/selinux-mem.html > > Explains the risks of the exec* accesses. > > Any time you see this, it should be reported as a problem with SELinux > policy but also reported back to the package maintainer, as they might > have a problem with their library. Ok, thanks a lot for the info. As the package maintainer I will forward the issue to upstream and hope to see it fixed in the next upstream release. But it's good to have a local workaround/fix until this happens. -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: From selinux at gmail.com Mon Apr 3 23:29:35 2006 From: selinux at gmail.com (Tom London) Date: Mon, 3 Apr 2006 16:29:35 -0700 Subject: VMware Workstation in FC5 In-Reply-To: <4431699A.7020401@redhat.com> References: <4c4ba1530604030731p5df89167v5c1be67e6224596b@mail.gmail.com> <4431699A.7020401@redhat.com> Message-ID: <4c4ba1530604031629r1dbd69f8ub31a45aaf8dbcbcf@mail.gmail.com> On 4/3/06, Daniel J Walsh wrote: > Matthew Saltzman wrote: > > On Mon, 3 Apr 2006, Tom London wrote: > > > >> On 4/3/06, Matthew Saltzman wrote: > >>> Running vmware workstation in FC5 with > >>> selinux-policy-targeted-2.2.25-2.fc5 > >>> produces the error: > >>> > >>> $ vmware > >>> /usr/lib/vmware/bin/vmware: error while loading shared > >>> libraries: > >>> /usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0: > >>> cannot > >>> restore segment prot after reloc: Permission denied > >>> > >>> and the AVC: > >>> > >>> Apr 3 09:38:05 kernel: audit(1144071485.547:433): avc: denied > >>> { execmod } for pid=21419 comm="vmware" > >>> name="libgdk-x11-2.0.so.0" > >>> dev=dm-0 ino=1343530 scontext=user_u:system_r:unconfined_t:s0 > >>> tcontext=system_u:object_r:lib_t:s0 tclass=file > >>> > >>> -- > >>> Matthew Saltzman > >>> > >> Try > >> chcon -t textrel_shlib_t > >> /usr/lib/vmware/lib/libgdk-x11-2.0.so,0/libgdk-x11-2.0.so.0 > > > > Thanks, that did it. Is this something that can go in > > selinux-policy-targeted, or is it something that VMware needs to take > > care of? > > > We can take care of the file context to allow it, but vmware should fix > there library to not need it, if possible. > http://people.redhat.com/drepper/selinux-mem.html > explains what execmod means. > > Dan Yeah, I tried that at vmware and got nowhere.... I strongly suspect we are blazing the trail here. tom -- Tom London From jouni at viikarit.com Tue Apr 4 10:52:21 2006 From: jouni at viikarit.com (Jouni Viikari) Date: Tue, 4 Apr 2006 13:52:21 +0300 (EEST) Subject: Selinux & httpd in FC5 In-Reply-To: <39592.192.100.116.143.1144146570.squirrel@www.viikarit.com> References: <39592.192.100.116.143.1144146570.squirrel@www.viikarit.com> Message-ID: <59313.192.100.116.143.1144147941.squirrel@www.viikarit.com> Hi, I just noticed that I was able to run cgi-scripts on apache which type was bin_t instead of httpd_sys_script_exec_t. Is this expected nowadays? I am using FC5 with the latest updates (selinux-policy-targeted-2.2.25-3.fc5) Also this bin_t script was able to read files which were by accident httpd_sys_script_exec_t type. My booleans: # getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> on httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_ssi_exec --> on httpd_suexec_disable_trans --> off httpd_tty_comm --> off httpd_unified --> off BTW, is there a way or tools to find out what e.g. httpd_exec_t program is allowed to do (and what do the booleans really affect) on currently active policy? Best regards, Jouni From rmy at tigress.co.uk Tue Apr 4 20:02:10 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Tue, 4 Apr 2006 21:02:10 +0100 (BST) Subject: fc5: several troubles at my first attempt Message-ID: <200604042002.k34K2AhY000393@tiffany.internal.tigress.co.uk> I wrote: [snip lots of stuff] >>> Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir OK, I booted into single user mode, unmounted /var and ran chcon -t var_t /var on the mount point. Now when I boot I don't get 450 messages like the above. The underlying problem is that pam_console_apply is trying to access /var before it's mounted. We just happened to see it because the SELinux context on the mount point won't allow it. Ron From dwalsh at redhat.com Tue Apr 4 11:53:17 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 04 Apr 2006 07:53:17 -0400 Subject: Small bug in apache.fc In-Reply-To: <44316485.9030309@ip-solutions.net> References: <442F099E.4070600@ip-solutions.net> <1144070649.9028.17.camel@moss-spartans.epoch.ncsc.mil> <443161F8.3040804@redhat.com> <44316485.9030309@ip-solutions.net> Message-ID: <44325E2D.7010504@redhat.com> Harry Hoffman wrote: > Hi, > > I'm happy to setup /srv to be var_t for the time being. > > Two questions: > > 1) if this isn't a ideal way of solving the problem is there a better way? > 2) will whatever the solution become be merged into the policies that > RHAS/Fedora/Centos/etc. use? > > Thanks, > Harry > > > This solution is already in Fedora and will be in RHEL and I suppose its clones. The only change would be if we started to label srv as something different. (srv_t)? From louisg00 at bellsouth.net Tue Apr 4 21:44:36 2006 From: louisg00 at bellsouth.net (Louis E Garcia II) Date: Tue, 04 Apr 2006 17:44:36 -0400 Subject: gstreamer plugin problem Message-ID: <1144187077.2628.13.camel@soncomputer> pitfdll is a gstreamer plugin that loads win32 binary codecs. Which works if selinux=0. $ ls -Z /usr/lib/gstreamer-0.10/libpitfdll.so -rwxr-xr-x root root system_u:object_r:lib_t libpitfdll.so ls -Z -d /usr/lib/win32 drwxr-xr-x root root system_u:object_r:lib_t /usr/lib/win32 under selinux it can't. I get this error: type=AVC msg=audit(1144183154.042:117): avc: denied { execmod } for pid=2360 comm="totem" name="libpitfdll.so" dev=hda3 ino=815199 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I put this through audit2allow: allow unconfined_t lib_t:file execmod; I don't want to have all unconfined_t access to lib_t just libpitfdll.so. how can I only allow libpitfdll.so access to lib_t? --Louis From selinux at gmail.com Wed Apr 5 02:04:57 2006 From: selinux at gmail.com (Tom London) Date: Tue, 4 Apr 2006 19:04:57 -0700 Subject: -Wunused-param in kernel compiles? Message-ID: <4c4ba1530604041904l61833208n3ca5ceb902316f09@mail.gmail.com> The last few kernels appear to be compiled with '-Wunused-param'. That right? Is this a 'going forward' feature? Appears to break vmware. Just want to know if I need work on this, or if it will revert at some future point... tom -- Tom London From selinux at gmail.com Wed Apr 5 02:13:35 2006 From: selinux at gmail.com (Tom London) Date: Tue, 4 Apr 2006 19:13:35 -0700 Subject: -Wunused-param in kernel compiles? In-Reply-To: <4c4ba1530604041904l61833208n3ca5ceb902316f09@mail.gmail.com> References: <4c4ba1530604041904l61833208n3ca5ceb902316f09@mail.gmail.com> Message-ID: <4c4ba1530604041913s3f6dfa0es752f2090395ced3@mail.gmail.com> Sorry, posted to wrong list.... tom On 4/4/06, Tom London wrote: > The last few kernels appear to be compiled with '-Wunused-param'. That right? > > Is this a 'going forward' feature? > > Appears to break vmware. > > Just want to know if I need work on this, or if it will revert at some > future point... > > tom > -- > Tom London > -- Tom London From paul at city-fan.org Wed Apr 5 06:58:10 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 05 Apr 2006 07:58:10 +0100 Subject: gstreamer plugin problem In-Reply-To: <1144187077.2628.13.camel@soncomputer> References: <1144187077.2628.13.camel@soncomputer> Message-ID: <1144220290.32571.4.camel@laurel.intra.city-fan.org> On Tue, 2006-04-04 at 17:44 -0400, Louis E Garcia II wrote: > pitfdll is a gstreamer plugin that loads win32 binary codecs. > Which works if selinux=0. > > $ ls -Z /usr/lib/gstreamer-0.10/libpitfdll.so > -rwxr-xr-x root root system_u:object_r:lib_t > libpitfdll.so > > ls -Z -d /usr/lib/win32 > drwxr-xr-x root root > system_u:object_r:lib_t /usr/lib/win32 > > under selinux it can't. I get this error: > > type=AVC msg=audit(1144183154.042:117): avc: denied { execmod } for > pid=2360 comm="totem" name="libpitfdll.so" dev=hda3 ino=815199 > scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > > I put this through audit2allow: > allow unconfined_t lib_t:file execmod; > > I don't want to have all unconfined_t access to lib_t just > libpitfdll.so. > > how can I only allow libpitfdll.so access to lib_t? Change it from lib_t to textrel_shlib_t This is discussed in the FC5 SELinux FAQ at: http://fedora.redhat.com/docs/selinux-faq-fc5/ (I have a process running as unconfined_t, and SELinux is still preventing my application from running) Unfortunately there is a typo in the FAQ and it tells you to use testrel_shlib_t instead of textrel_shlib_t. Paul. From i.pilcher at comcast.net Wed Apr 5 15:15:19 2006 From: i.pilcher at comcast.net (Ian Pilcher) Date: Wed, 05 Apr 2006 10:15:19 -0500 Subject: VMware Workstation in FC5 In-Reply-To: <4c4ba1530604031629r1dbd69f8ub31a45aaf8dbcbcf@mail.gmail.com> References: <4c4ba1530604030731p5df89167v5c1be67e6224596b@mail.gmail.com> <4431699A.7020401@redhat.com> <4c4ba1530604031629r1dbd69f8ub31a45aaf8dbcbcf@mail.gmail.com> Message-ID: Tom London wrote: > Yeah, I tried that at vmware and got nowhere.... > > I strongly suspect we are blazing the trail here. Someone at VMware needs to clue in to the fact that all of the SELinux- related bugs that Fedora Core users are finding are going to bite their supported customers when RHEL 5 hits the streets. -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From dant at cdkkt.com Wed Apr 5 17:59:27 2006 From: dant at cdkkt.com (Dan Thurman) Date: Wed, 05 Apr 2006 10:59:27 -0700 Subject: [FC5] Samba and SELinux Message-ID: <1144259968.2967.63.camel@copper.cdkkt.com> Folks, What is the procedure for creating Samba shares and getting around the SELinux issues? Samba by default no longer works with shares such as [homes] and any other added shares without administrator intervention to add SELinux labels on share directories. Please direct me to the FAQ for Samba & SELinux or please tell me what I have to do to get samba shares working. In my case - I am getting permission denied in the audit logs and in the message logs for nmbd, I am getting directories do not exists errors (when they actually do!). Kind regards, Dan From sds at tycho.nsa.gov Wed Apr 5 18:09:19 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 05 Apr 2006 14:09:19 -0400 Subject: Sharing partitions between FC4 and FC5 In-Reply-To: <200604031731.k33HV7q1029163@tiffany.internal.tigress.co.uk> References: <200604031731.k33HV7q1029163@tiffany.internal.tigress.co.uk> Message-ID: <1144260559.25790.105.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-03 at 18:31 +0100, Ron Yorston wrote: > Stephen Smalley wrote: > >A MLS compatibility patch went into Linux 2.6.15 and was back ported to > >one of the FC4 kernel updates. Is your FC4 kernel updated? > > I think I'm entirely up to date: > > # uname -r > 2.6.16-1.2069_FC4 > # rpm -qa | grep selinux > selinux-policy-targeted-1.27.1-2.22 > libselinux-devel-1.23.11-1.1 > libselinux-1.23.11-1.1 Only the kernel matters. 2.6.15 and later should accept a MLS suffix (the :s0 part) on the context of on-disk inodes even if MLS is disabled in the policy. Bugzilla it. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Apr 5 18:13:24 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 05 Apr 2006 14:13:24 -0400 Subject: [FC5] Samba and SELinux In-Reply-To: <1144259968.2967.63.camel@copper.cdkkt.com> References: <1144259968.2967.63.camel@copper.cdkkt.com> Message-ID: <1144260804.25790.108.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > Folks, > > What is the procedure for creating Samba shares and > getting around the SELinux issues? > > Samba by default no longer works with shares such > as [homes] and any other added shares without administrator > intervention to add SELinux labels on share directories. > > Please direct me to the FAQ for Samba & SELinux or > please tell me what I have to do to get samba shares > working. > > In my case - I am getting permission denied in the audit > logs and in the message logs for nmbd, I am getting > directories do not exists errors (when they actually > do!). Does 'man samba_selinux' still cover the issue adequately? Or does it need to be updated? -- Stephen Smalley National Security Agency From rmy at tigress.co.uk Wed Apr 5 18:32:14 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Wed, 05 Apr 2006 19:32:14 +0100 Subject: Sharing partitions between FC4 and FC5 In-Reply-To: <1144260559.25790.105.camel@moss-spartans.epoch.ncsc.mil> References: <200604031731.k33HV7q1029163@tiffany.internal.tigress.co.uk> <1144260559.25790.105.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200604051832.k35IWEhp002247@tiffany.internal.tigress.co.uk> Stephen Smalley wrote: >On Mon, 2006-04-03 at 18:31 +0100, Ron Yorston wrote: >> Stephen Smalley wrote: >> >A MLS compatibility patch went into Linux 2.6.15 and was back ported to >> >one of the FC4 kernel updates. Is your FC4 kernel updated? >> >> I think I'm entirely up to date: >> >> # uname -r >> 2.6.16-1.2069_FC4 >> # rpm -qa | grep selinux >> selinux-policy-targeted-1.27.1-2.22 >> libselinux-devel-1.23.11-1.1 >> libselinux-1.23.11-1.1 > >Only the kernel matters. 2.6.15 and later should accept a MLS suffix >(the :s0 part) on the context of on-disk inodes even if MLS is disabled >in the policy. Bugzilla it. Done. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068 Ron From bobk at ocf.berkeley.edu Wed Apr 5 19:59:21 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Wed, 05 Apr 2006 12:59:21 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144259968.2967.63.camel@copper.cdkkt.com> References: <1144259968.2967.63.camel@copper.cdkkt.com> Message-ID: <1144267162.3557.2.camel@chaucer> On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > Folks, > > What is the procedure for creating Samba shares and > getting around the SELinux issues? > > Samba by default no longer works with shares such > as [homes] and any other added shares without administrator > intervention to add SELinux labels on share directories. > > Please direct me to the FAQ for Samba & SELinux or > please tell me what I have to do to get samba shares > working. > > In my case - I am getting permission denied in the audit > logs and in the message logs for nmbd, I am getting > directories do not exists errors (when they actually > do!). /usr/sbin/setsebool -P samba_enable_home_dirs=1 /usr/sbin/setsebool -P smbd_disable_trans=1 That's what I had to do to get samba working with home shares on FC5. Bob -- Bob Kashani http://www.gnome.org/~bobk/ From dant at cdkkt.com Wed Apr 5 20:26:40 2006 From: dant at cdkkt.com (Dan Thurman) Date: Wed, 05 Apr 2006 13:26:40 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144267162.3557.2.camel@chaucer> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> Message-ID: <1144268801.2967.107.camel@copper.cdkkt.com> On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > Folks, > > > > What is the procedure for creating Samba shares and > > getting around the SELinux issues? > > > > Samba by default no longer works with shares such > > as [homes] and any other added shares without administrator > > intervention to add SELinux labels on share directories. > > > > Please direct me to the FAQ for Samba & SELinux or > > please tell me what I have to do to get samba shares > > working. > > > > In my case - I am getting permission denied in the audit > > logs and in the message logs for nmbd, I am getting > > directories do not exists errors (when they actually > > do!). > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > /usr/sbin/setsebool -P smbd_disable_trans=1 > > That's what I had to do to get samba working with home shares on FC5. > > Bob > Thanks for the response! Yes, I did that for [home] but the problem is what to do with: /var/www There are many different contexts for this directory and all the files under it and I was not sure how to make this directory a samba share without blowing away the original context in fear of breaking it all to bits. I want to keep all the original context AND add samba share context OR the public_share_rw_t as Stephen Smalley recommended but I was not sure how to do that. This is the question I asked of Mr Smalley and I am waiting to hear of his response. Kind regards, Dan From bobk at ocf.berkeley.edu Wed Apr 5 20:29:26 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Wed, 05 Apr 2006 13:29:26 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144267162.3557.2.camel@chaucer> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> Message-ID: <1144268966.3847.1.camel@chaucer> On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > Folks, > > > > What is the procedure for creating Samba shares and > > getting around the SELinux issues? > > > > Samba by default no longer works with shares such > > as [homes] and any other added shares without administrator > > intervention to add SELinux labels on share directories. > > > > Please direct me to the FAQ for Samba & SELinux or > > please tell me what I have to do to get samba shares > > working. > > > > In my case - I am getting permission denied in the audit > > logs and in the message logs for nmbd, I am getting > > directories do not exists errors (when they actually > > do!). > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > /usr/sbin/setsebool -P smbd_disable_trans=1 > > That's what I had to do to get samba working with home shares on FC5. Forgot to mention that you need to restart samba for things to work. /sbin/service smb restart Bob -- Bob Kashani http://www.gnome.org/~bobk/ From bobk at ocf.berkeley.edu Wed Apr 5 21:42:52 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Wed, 05 Apr 2006 14:42:52 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144268801.2967.107.camel@copper.cdkkt.com> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> Message-ID: <1144273372.4175.15.camel@chaucer> On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote: > On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > > Folks, > > > > > > What is the procedure for creating Samba shares and > > > getting around the SELinux issues? > > > > > > Samba by default no longer works with shares such > > > as [homes] and any other added shares without administrator > > > intervention to add SELinux labels on share directories. > > > > > > Please direct me to the FAQ for Samba & SELinux or > > > please tell me what I have to do to get samba shares > > > working. > > > > > > In my case - I am getting permission denied in the audit > > > logs and in the message logs for nmbd, I am getting > > > directories do not exists errors (when they actually > > > do!). > > > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > > /usr/sbin/setsebool -P smbd_disable_trans=1 > > > > That's what I had to do to get samba working with home shares on FC5. > > > > Bob > > > > Thanks for the response! Yes, I did that for [home] but > the problem is what to do with: /var/www > > There are many different contexts for this directory and all > the files under it and I was not sure how to make this directory > a samba share without blowing away the original context in fear > of breaking it all to bits. > > I want to keep all the original context AND add samba share context > OR the public_share_rw_t as Stephen Smalley recommended but I was > not sure how to do that. This is the question I asked of Mr Smalley > and I am waiting to hear of his response. Well if you have things setup properly then you should be able to read/write to your /var/www dir just fine as-is without any extra changes. I can access my /var/www content just fine via samba without any extra tweaking of selinux. I basically access my /var/www dir through my home dir. Just create a symlink from your home dir to /var/www and make sure that you own the dirs and have the right permissions to rw to it. Bob -- Bob Kashani http://www.gnome.org/~bobk/ From mjs at ces.clemson.edu Wed Apr 5 22:42:37 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Wed, 5 Apr 2006 18:42:37 -0400 (EDT) Subject: Amanda client AVC Message-ID: My amanda clients are seeing the following: kernel: audit(1144217150.855:17): avc: denied { name_bind } for pid=3707 comm="sendbackup" src=697 scontext=system_u:system_r:amanda_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket And they don't work. How to fix, please? TIA. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From tibbs at math.uh.edu Thu Apr 6 01:00:54 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 05 Apr 2006 20:00:54 -0500 Subject: Amanda client AVC In-Reply-To: (Matthew Saltzman's message of "Wed, 5 Apr 2006 18:42:37 -0400 (EDT)") References: Message-ID: I had the same AVC from amanda when nscd was not running; in that case, amanda (via the C library) has to make a network connection to the LDAP server (or NIS server, I suppose) in order to look up user info. I solved the problem by making sure nscd was started, but it seems you can also set a boolean (allow_ypbind, I think) to allow these network connections. - J< From paul at city-fan.org Thu Apr 6 06:42:51 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 06 Apr 2006 07:42:51 +0100 Subject: [FC5] Samba and SELinux In-Reply-To: <1144267162.3557.2.camel@chaucer> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> Message-ID: <1144305772.4028.3.camel@laurel.intra.city-fan.org> On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > Folks, > > > > What is the procedure for creating Samba shares and > > getting around the SELinux issues? > > > > Samba by default no longer works with shares such > > as [homes] and any other added shares without administrator > > intervention to add SELinux labels on share directories. > > > > Please direct me to the FAQ for Samba & SELinux or > > please tell me what I have to do to get samba shares > > working. > > > > In my case - I am getting permission denied in the audit > > logs and in the message logs for nmbd, I am getting > > directories do not exists errors (when they actually > > do!). > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > /usr/sbin/setsebool -P smbd_disable_trans=1 > > That's what I had to do to get samba working with home shares on FC5. The second of these is turning off SELinux protection for the samba server. It really shouldn't be necessary to do that if you're just trying to share home directories (/home/*) using samba. Paul. From paul at city-fan.org Thu Apr 6 06:48:58 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 06 Apr 2006 07:48:58 +0100 Subject: [FC5] Samba and SELinux In-Reply-To: <1144268801.2967.107.camel@copper.cdkkt.com> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> Message-ID: <1144306138.4028.10.camel@laurel.intra.city-fan.org> On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote: > On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > > Folks, > > > > > > What is the procedure for creating Samba shares and > > > getting around the SELinux issues? > > > > > > Samba by default no longer works with shares such > > > as [homes] and any other added shares without administrator > > > intervention to add SELinux labels on share directories. > > > > > > Please direct me to the FAQ for Samba & SELinux or > > > please tell me what I have to do to get samba shares > > > working. > > > > > > In my case - I am getting permission denied in the audit > > > logs and in the message logs for nmbd, I am getting > > > directories do not exists errors (when they actually > > > do!). > > > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > > /usr/sbin/setsebool -P smbd_disable_trans=1 > > > > That's what I had to do to get samba working with home shares on FC5. > > > > Bob > > > > Thanks for the response! Yes, I did that for [home] but > the problem is what to do with: /var/www > > There are many different contexts for this directory and all > the files under it and I was not sure how to make this directory > a samba share without blowing away the original context in fear > of breaking it all to bits. > > I want to keep all the original context AND add samba share context > OR the public_share_rw_t as Stephen Smalley recommended but I was > not sure how to do that. This is the question I asked of Mr Smalley > and I am waiting to hear of his response. You can't have multiple contexts for a file, so it's not possible AFAIK to have both the original context *and* public_content_rw_t. If your web server is only serving static data (nothing that requires write access to /var/www for the web server itself), you could relabel /var/www/* as public_content_t. If you have internal scripting like PHP that needs write access, you could use public_content_rw_t. However, if you're using cgi scripts that currently need httpd_script_exec_t, you'd need to generate a local policy module that allowed samba to read/write the httpd_* types. Paul. From sds at tycho.nsa.gov Thu Apr 6 12:06:15 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 06 Apr 2006 08:06:15 -0400 Subject: [FC5] Samba and SELinux In-Reply-To: <1144306138.4028.10.camel@laurel.intra.city-fan.org> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> <1144306138.4028.10.camel@laurel.intra.city-fan.org> Message-ID: <1144325175.6176.30.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote: > You can't have multiple contexts for a file, so it's not possible AFAIK > to have both the original context *and* public_content_rw_t. Correct. See the "Multiple contexts" thread on the selinux list from Jan 10 2005 for a discussion of why multiple contexts per file is a bad idea. In short, it makes information flow analysis impossible without considering the entire filesystem state. > If your web server is only serving static data (nothing that requires > write access to /var/www for the web server itself), you could > relabel /var/www/* as public_content_t. If you have internal scripting > like PHP that needs write access, you could use public_content_rw_t. > > However, if you're using cgi scripts that currently need > httpd_script_exec_t, you'd need to generate a local policy module that > allowed samba to read/write the httpd_* types. Yes, local policy module seems like the sanest choice. If this is a common situation, I suppose it could be incorporated into the upstream policy under a boolean. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Apr 6 12:19:09 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 06 Apr 2006 08:19:09 -0400 Subject: Amanda client AVC In-Reply-To: References: Message-ID: <1144325949.6176.40.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-05 at 18:42 -0400, Matthew Saltzman wrote: > My amanda clients are seeing the following: > > kernel: audit(1144217150.855:17): avc: denied { name_bind } for > pid=3707 comm="sendbackup" src=697 > scontext=system_u:system_r:amanda_t:s0 > tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket > > And they don't work. > > How to fix, please? TIA. port 697 is listed as uuidgen in /etc/services, so specifically mapping it to an amanda port type and allowing amanda to bind to it seems wrong. If this is just a result of probing for any available low port for NIS, then the allow_ypbind boolean is likely relevant; try enabling it. -- Stephen Smalley National Security Agency From ce at ruault.com Thu Apr 6 16:09:33 2006 From: ce at ruault.com (Charles-Edouard Ruault) Date: Thu, 06 Apr 2006 18:09:33 +0200 Subject: [FC5] Wrong default context for hping2 Message-ID: <44353D3D.7080609@ruault.com> Hi All, i've noticed that hping2 ( hping2-2.0.0-0.5.rc3 ) is not labeled with the correct security context. The binary is labled with context ping_exec_t: -rwxr-xr-x root root system_u:object_r:ping_exec_t /usr/sbin/hping2 But the ping_exec_t domain does not allow the creation of packet socket. Here's the audit log : type=AVC msg=audit(1144338231.596:1933): avc: denied { create } for pid=17334 comm="hping2" scontext=user_u:system_r:ping_t:s0-s0:c0.c255 tcontext=user_u:system_r:ping_t:s0-s0:c0.c255 tclass=packet_socket To work around this issue, i simply changed the context of hping2 to sbin_t and it works fine. The other option is to modify the ping_t domain to allow the creation of packet socket. audit2allow yields the following rule: allow ping_t self:packet_socket create; I'll leave the decision up to the package maintainer ! -- Charles-Edouard Ruault GPG key Id E4D2B80C From udjinrg at forenet.by Thu Apr 6 16:56:32 2006 From: udjinrg at forenet.by (Maxim Britov) Date: Thu, 6 Apr 2006 19:56:32 +0300 Subject: fc5: several troubles at my first attempt In-Reply-To: <44316B8F.2010109@redhat.com> References: <200603311936.k2VJa24V026095@tiffany.internal.tigress.co.uk> <44316B8F.2010109@redhat.com> Message-ID: <20060406195632.6725543a@maxim.office.modum.by> > >> Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t. > >> Need to relabel? > > > > I'm seeing these too. My /var is on a separate partition. Could this be > > the cause of the problem? > > > > Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir > > Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal > > Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > > Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds > > Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal > > Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode. > > Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr > What happens when you > restorecon -R -v /var autorelabel works after /var mounted, but that error messages put before mount /var. And /var on root partiotion still unlabeled. IMHO it is installer or filesystem package bug. -- Maxim Britov GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim at modum.by icq 198171258 Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB GnuPG-ru Team (http://lists.gnupg.org/mailman/listinfo/gnupg-ru xmpp:gnupg-ru at conference.jabber.ru) From dant at cdkkt.com Thu Apr 6 17:36:17 2006 From: dant at cdkkt.com (Dan Thurman) Date: Thu, 06 Apr 2006 10:36:17 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144306138.4028.10.camel@laurel.intra.city-fan.org> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> <1144306138.4028.10.camel@laurel.intra.city-fan.org> Message-ID: <1144344978.2967.201.camel@copper.cdkkt.com> On Thu, 2006-04-06 at 07:48 +0100, Paul Howarth wrote: > On Wed, 2006-04-05 at 13:26 -0700, Dan Thurman wrote: > > On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > > > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > > > Folks, > > > > > > > > What is the procedure for creating Samba shares and > > > > getting around the SELinux issues? > > > > > > > > Samba by default no longer works with shares such > > > > as [homes] and any other added shares without administrator > > > > intervention to add SELinux labels on share directories. > > > > > > > > Please direct me to the FAQ for Samba & SELinux or > > > > please tell me what I have to do to get samba shares > > > > working. > > > > > > > > In my case - I am getting permission denied in the audit > > > > logs and in the message logs for nmbd, I am getting > > > > directories do not exists errors (when they actually > > > > do!). > > > > > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > > > /usr/sbin/setsebool -P smbd_disable_trans=1 > > > > > > That's what I had to do to get samba working with home shares on FC5. > > > > > > Bob > > > > > > > Thanks for the response! Yes, I did that for [home] but > > the problem is what to do with: /var/www > > > > There are many different contexts for this directory and all > > the files under it and I was not sure how to make this directory > > a samba share without blowing away the original context in fear > > of breaking it all to bits. > > > > I want to keep all the original context AND add samba share context > > OR the public_share_rw_t as Stephen Smalley recommended but I was > > not sure how to do that. This is the question I asked of Mr Smalley > > and I am waiting to hear of his response. > > You can't have multiple contexts for a file, so it's not possible AFAIK > to have both the original context *and* public_content_rw_t. > > If your web server is only serving static data (nothing that requires > write access to /var/www for the web server itself), you could > relabel /var/www/* as public_content_t. If you have internal scripting > like PHP that needs write access, you could use public_content_rw_t. > > However, if you're using cgi scripts that currently need > httpd_script_exec_t, you'd need to generate a local policy module that > allowed samba to read/write the httpd_* types. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Ugh... I am too stupid to figure this out. Can someone give me some examples, step-by-step how I can do it? Steps perform IN ORDER listed: 1) relabel /var/www a) chcon -R -t public_content_t /var/www b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical PHP area) 2) Local policy rules a) ???? I have no clue how to do this step! Thanks! Dan From sds at tycho.nsa.gov Thu Apr 6 18:04:14 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 06 Apr 2006 14:04:14 -0400 Subject: [FC5] Samba and SELinux In-Reply-To: <1144344978.2967.201.camel@copper.cdkkt.com> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> <1144306138.4028.10.camel@laurel.intra.city-fan.org> <1144344978.2967.201.camel@copper.cdkkt.com> Message-ID: <1144346654.6176.69.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote: > Ugh... I am too stupid to figure this out. > > Can someone give me some examples, step-by-step how I can do it? > > Steps perform IN ORDER listed: > 1) relabel /var/www > a) chcon -R -t public_content_t /var/www > b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical > PHP area) > 2) Local policy rules > a) ???? I have no clue how to do this step! If taking option (2), you don't need to relabel /var/www at all - leave it with the httpd* types. Instead, you just allow the domain in which samba runs to access the httpd content types. Try the following sequence: $ mkdir foo $ cd foo $ vi local.te policy_module(local, 1.0) require { attribute httpdcontent; type smbd_t; } allow smbd_t httpdcontent:dir create_dir_perms; allow smbd_t httpdcontent:{ file lnk_file } create_file_perms; :wq $ touch local.if local.fc $ make -f /usr/share/selinux/devel/Makefile Compliling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod Creating targeted local.pp policy package rm tmp/local.mod.fc tmp/local.mod $ su Password: # semodule -i local.pp Then re-try accessing the /var/www content from samba, and if it still doesn't work, check your /var/log/messages files for avc: denied messages. Notes to others on cc list: 1) Should this already be supported under a boolean in the base policy? 2) If not (or even if so), do we need more general interfaces from apache to allow other domains to manage all httpd content types? 3) Did I really need to create empty .if and .fc files, or was there some way to suppress the need for them when I did the make? 4) Compliling isn't a word ;) -- Stephen Smalley National Security Agency From bobk at ocf.berkeley.edu Thu Apr 6 18:05:54 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Thu, 06 Apr 2006 11:05:54 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144305772.4028.3.camel@laurel.intra.city-fan.org> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144305772.4028.3.camel@laurel.intra.city-fan.org> Message-ID: <1144346754.2343.2.camel@chaucer> On Thu, 2006-04-06 at 07:42 +0100, Paul Howarth wrote: > On Wed, 2006-04-05 at 12:59 -0700, Bob Kashani wrote: > > On Wed, 2006-04-05 at 10:59 -0700, Dan Thurman wrote: > > > Folks, > > > > > > What is the procedure for creating Samba shares and > > > getting around the SELinux issues? > > > > > > Samba by default no longer works with shares such > > > as [homes] and any other added shares without administrator > > > intervention to add SELinux labels on share directories. > > > > > > Please direct me to the FAQ for Samba & SELinux or > > > please tell me what I have to do to get samba shares > > > working. > > > > > > In my case - I am getting permission denied in the audit > > > logs and in the message logs for nmbd, I am getting > > > directories do not exists errors (when they actually > > > do!). > > > > /usr/sbin/setsebool -P samba_enable_home_dirs=1 > > /usr/sbin/setsebool -P smbd_disable_trans=1 > > > > That's what I had to do to get samba working with home shares on FC5. > > The second of these is turning off SELinux protection for the samba > server. It really shouldn't be necessary to do that if you're just > trying to share home directories (/home/*) using samba. For some odd reason I needed to add the second one to get things working the first time around. I just tried it again without the second one and everything works fine. I guess I did something wrong the first time. Thanks, for clarifying. :) Bob -- Bob Kashani http://www.gnome.org/~bobk/ From dwalsh at redhat.com Thu Apr 6 18:34:07 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 06 Apr 2006 14:34:07 -0400 Subject: Selinux & httpd in FC5 In-Reply-To: <59313.192.100.116.143.1144147941.squirrel@www.viikarit.com> References: <39592.192.100.116.143.1144146570.squirrel@www.viikarit.com> <59313.192.100.116.143.1144147941.squirrel@www.viikarit.com> Message-ID: <44355F1F.1050402@redhat.com> Jouni Viikari wrote: > Hi, > > I just noticed that I was able to run cgi-scripts on apache which type was > bin_t instead of httpd_sys_script_exec_t. Is this expected nowadays? I > am using FC5 with the latest updates > (selinux-policy-targeted-2.2.25-3.fc5) > > apache is allowed to execute bin_t. > Also this bin_t script was able to read files which were by accident > httpd_sys_script_exec_t type. > The fact the script was bin_t does not mean that it was running in that domain. Basically their is no domain transition happening. Apache runs in httpd_t, which is allowed to run bin_t. But it will stay in the context of httpd_t. So when the bin_t labeled application runs httpd_sys_script_exec_t, from SELinux point of view it is httpd_t executing httpd_sys_script_exec_t. In this case their will be a transition to httpd_sys_script_t. > My booleans: > > # getsebool -a | grep httpd > allow_httpd_anon_write --> off > allow_httpd_sys_script_anon_write --> off > httpd_builtin_scripting --> on > httpd_can_network_connect --> on > httpd_can_network_connect_db --> off > httpd_can_network_relay --> off > httpd_disable_trans --> off > httpd_enable_cgi --> on > httpd_enable_ftp_server --> off > httpd_enable_homedirs --> on > httpd_ssi_exec --> on > httpd_suexec_disable_trans --> off > httpd_tty_comm --> off > httpd_unified --> off > > BTW, is there a way or tools to find out what e.g. httpd_exec_t program is > allowed to do (and what do the booleans really affect) on currently active > policy? > > apol > Best regards, > > Jouni > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From cpebenito at tresys.com Thu Apr 6 18:40:16 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 06 Apr 2006 14:40:16 -0400 Subject: [FC5] Samba and SELinux In-Reply-To: <1144346654.6176.69.camel@moss-spartans.epoch.ncsc.mil> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> <1144306138.4028.10.camel@laurel.intra.city-fan.org> <1144344978.2967.201.camel@copper.cdkkt.com> <1144346654.6176.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144348817.20173.8.camel@sgc> On Thu, 2006-04-06 at 14:04 -0400, Stephen Smalley wrote: > On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote: [cut] > allow smbd_t httpdcontent:dir create_dir_perms; > allow smbd_t httpdcontent:{ file lnk_file } create_file_perms; [cut] > Notes to others on cc list: > 1) Should this already be supported under a boolean in the base policy? Doesn't seem unreasonable to add. > 2) If not (or even if so), do we need more general interfaces from > apache to allow other domains to manage all httpd content types? It would be required for the support to be added to refpolicy. > 3) Did I really need to create empty .if and .fc files, or was there > some way to suppress the need for them when I did the make? I don't know of a way that doesn't need more infrastructure. I'll add a target for fc and if files which will touch them if they're missing, which will have the same effect. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From dant at cdkkt.com Thu Apr 6 20:18:57 2006 From: dant at cdkkt.com (Dan Thurman) Date: Thu, 06 Apr 2006 13:18:57 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144346654.6176.69.camel@moss-spartans.epoch.ncsc.mil> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> <1144306138.4028.10.camel@laurel.intra.city-fan.org> <1144344978.2967.201.camel@copper.cdkkt.com> <1144346654.6176.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144354737.3011.0.camel@copper.cdkkt.com> On Thu, 2006-04-06 at 14:04 -0400, Stephen Smalley wrote: > On Thu, 2006-04-06 at 10:36 -0700, Dan Thurman wrote: > > Ugh... I am too stupid to figure this out. > > > > Can someone give me some examples, step-by-step how I can do it? > > > > Steps perform IN ORDER listed: > > 1) relabel /var/www > > a) chcon -R -t public_content_t /var/www > > b) chcon -R -t public_content_rw_t /var/www/html/php (hypothetical > > PHP area) > > 2) Local policy rules > > a) ???? I have no clue how to do this step! > > If taking option (2), you don't need to relabel /var/www at all - leave > it with the httpd* types. Instead, you just allow the domain in which > samba runs to access the httpd content types. Try the following > sequence: > $ mkdir foo > $ cd foo > $ vi local.te > > policy_module(local, 1.0) > > require { > attribute httpdcontent; > type smbd_t; > } > > allow smbd_t httpdcontent:dir create_dir_perms; > allow smbd_t httpdcontent:{ file lnk_file } create_file_perms; > > :wq > $ touch local.if local.fc > $ make -f /usr/share/selinux/devel/Makefile > Compliling targeted local module > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > /usr/bin/checkmodule: policy configuration loaded > /usr/bin/checkmodule: writing binary representation (version 5) to tmp/local.mod > Creating targeted local.pp policy package > rm tmp/local.mod.fc tmp/local.mod > > $ su > Password: > # semodule -i local.pp > > Then re-try accessing the /var/www content from samba, and if it still > doesn't work, check your /var/log/messages files for avc: denied > messages. > > Notes to others on cc list: > 1) Should this already be supported under a boolean in the base policy? > 2) If not (or even if so), do we need more general interfaces from > apache to allow other domains to manage all httpd content types? > 3) Did I really need to create empty .if and .fc files, or was there > some way to suppress the need for them when I did the make? > 4) Compliling isn't a word ;) > Uh oh... tried to follow your 2) example, and here is the results... [root at copper ~]# mkdir foo [root at copper ~]# cd foo [root at copper foo]# ls [root at copper foo]# vi local.te [root at copper foo]# touch local.if local.fc [root at copper foo]# make -f /usr/share/selinux/devel/Makefile Compliling targeted local module make: /usr/bin/checkmodule: Command not found make: *** [tmp/local.mod] Error 127 [root at copper foo]# Kind regards, Dan From csellers at tresys.com Thu Apr 6 20:24:35 2006 From: csellers at tresys.com (Chad Sellers) Date: Thu, 06 Apr 2006 16:24:35 -0400 Subject: [FC5] Samba and SELinux In-Reply-To: <1144354737.3011.0.camel@copper.cdkkt.com> Message-ID: On 4/6/06 4:18 PM, "Dan Thurman" wrote: > > Uh oh... tried to follow your 2) example, and here is the results... > > [root at copper ~]# mkdir foo > [root at copper ~]# cd foo > [root at copper foo]# ls > [root at copper foo]# vi local.te > [root at copper foo]# touch local.if local.fc > [root at copper foo]# make -f /usr/share/selinux/devel/Makefile > Compliling targeted local module > make: /usr/bin/checkmodule: Command not found > make: *** [tmp/local.mod] Error 127 > [root at copper foo]# > You need to install the checkpolicy rpm, which includes checkmodule. So, just yum install it and that should solve this problem. Chad From paul at city-fan.org Fri Apr 7 13:05:39 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 07 Apr 2006 14:05:39 +0100 Subject: proftpd logs Message-ID: <443663A3.9010107@city-fan.org> proftpd likes to handle its own logging, and needs the following before it will work: module proftpd 0.2; require { class dir { getattr search }; type ftpd_t; type xferlog_t; }; allow ftpd_t xferlog_t:dir { getattr search }; This is for the following proftpd log setup: ExtendedLog /var/log/proftpd/access.log WRITE,READ default ExtendedLog /var/log/proftpd/auth.log AUTH auth This is the default in the Extras package if you uncomment the anonymous ftp server bits from the included configuration file: http://cvs.fedora.redhat.com/viewcvs/devel/proftpd/proftpd.conf?root=extras&view=markup Paul. From bobk at ocf.berkeley.edu Fri Apr 7 22:46:11 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 07 Apr 2006 15:46:11 -0700 Subject: Xen AVC's FC5 Message-ID: <1144449972.2590.6.camel@chaucer> Xen doesn't seem to work with selinux enabled in FC5. :( Is the recommended solution to turn selinux off when using xen in FC5? selinux-policy-2.2.29-3.fc5 selinux-policy-targeted-2.2.29-3.fc5 kernel-xen0-2.6.16-1.2080_FC5 [root at chaucer ~]# audit2allow -l -i /var/log/audit/audit.log allow cupsd_t var_run_t:dir setattr; allow ifconfig_t xend_t:unix_stream_socket { read write }; allow smbd_t user_home_dir_t:file getattr; allow xenconsoled_t console_device_t:chr_file { read write }; allow xend_t netutils_exec_t:file getattr; allow xenstored_t console_device_t:chr_file { read write }; allow xenstored_t xen_device_t:chr_file { getattr read unlink write }; These are the AVC's that I get when I boot into the xen kernel: type=AVC msg=audit(1144449050.119:5): avc: denied { setattr } for pid=1887 comm="cupsd" name="cups" dev=hda2 ino=230397 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=user_u:object_r:var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1144449050.119:5): arch=40000003 syscall=212 success=no exit=-13 a0=8abfcb0 a1=0 a2=7 a3=0 items=1 pid=1887 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd" type=CWD msg=audit(1144449050.119:5): cwd="/" type=PATH msg=audit(1144449050.119:5): item=0 name="/var/run/cups" flags=1 inode=230397 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449056.516:6): avc: denied { read write } for pid=2063 comm="xenstored" name="console" dev=tmpfs ino=841 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1144449056.516:6): arch=40000003 syscall=11 success=yes exit=0 a0=9d76c48 a1=9d76f60 a2=9d76e38 a3=9d769f0 items=2 pid=2063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="xenstored" exe="/usr/sbin/xenstored" type=AVC_PATH msg=audit(1144449056.516:6): path="/dev/console" type=CWD msg=audit(1144449056.516:6): cwd="/" type=PATH msg=audit(1144449056.516:6): item=0 name="/usr/sbin/xenstored" flags=101 inode=2481479 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449056.516:6): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449056.572:7): avc: denied { getattr } for pid=2065 comm="xenstored" name="evtchn" dev=tmpfs ino=3308 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1144449056.572:7): arch=40000003 syscall=196 success=no exit=-13 a0=805716a a1=bf88064c a2=b45ff4 a3=bf88064c items=1 pid=2065 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="xenstored" exe="/usr/sbin/xenstored" type=AVC_PATH msg=audit(1144449056.572:7): path="/dev/xen/evtchn" type=CWD msg=audit(1144449056.572:7): cwd="/" type=PATH msg=audit(1144449056.572:7): item=0 name="/dev/xen/evtchn" flags=0 inode=3308 dev=00:0f mode=020600 ouid=0 ogid=0 rdev=0a:c9 type=AVC msg=audit(1144449056.572:8): avc: denied { unlink } for pid=2065 comm="xenstored" name="evtchn" dev=tmpfs ino=3308 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1144449056.572:8): arch=40000003 syscall=10 success=no exit=-13 a0=805716a a1=d a2=a a3=0 items=1 pid=2065 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="xenstored" exe="/usr/sbin/xenstored" type=CWD msg=audit(1144449056.572:8): cwd="/" type=PATH msg=audit(1144449056.572:8): item=0 name="/dev/xen/evtchn" flags=10 inode=3307 dev=00:0f mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449056.572:9): avc: denied { read write } for pid=2065 comm="xenstored" name="evtchn" dev=tmpfs ino=3308 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1144449056.572:9): arch=40000003 syscall=5 success=no exit=-13 a0=805716a a1=802 a2=bf8806e0 a3=0 items=1 pid=2065 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="xenstored" exe="/usr/sbin/xenstored" type=CWD msg=audit(1144449056.572:9): cwd="/" type=PATH msg=audit(1144449056.572:9): item=0 name="/dev/xen/evtchn" flags=101 inode=3308 dev=00:0f mode=020600 ouid=0 ogid=0 rdev=0a:c9 type=AVC msg=audit(1144449056.580:10): avc: denied { read write } for pid=2066 comm="xenconsoled" name="console" dev=tmpfs ino=841 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_filetype=AVC msg=audit(1144449056.580:10): avc: denied { read write } for pid=2066 comm="xenconsoled" name="console" dev=tmpfs ino=841 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_filetype=AVC msg=audit(1144449056.580:10): avc: denied { read write } for pid=2066 comm="xenconsoled" name="console" dev=tmpfs ino=841 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_filetype=SYSCALL msg=audit(1144449056.580:10): arch=40000003 syscall=11 success=yes exit=0 a0=99a0068 a1=99f4120 a2=bfefdfb4 a3=9991f98 items=2 pid=2066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="xenconsoled" exe="/usr/sbin/xenconsoled" type=AVC_PATH msg=audit(1144449056.580:10): path="/dev/console" type=AVC_PATH msg=audit(1144449056.580:10): path="/dev/console" type=AVC_PATH msg=audit(1144449056.580:10): path="/dev/console" type=CWD msg=audit(1144449056.580:10): cwd="/" type=PATH msg=audit(1144449056.580:10): item=0 name="/usr/sbin/xenconsoled" flags=101 inode=2481318 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449056.580:10): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449056.928:11): avc: denied { read write } for pid=2083 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449056.928:11): arch=40000003 syscall=11 success=yes exit=0 a0=8a53890 a1=8a55ca0 a2=8a55b90 a3=8a545b8 items=2 pid=2083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449056.928:11): path="socket:[7118]" type=CWD msg=audit(1144449056.928:11): cwd="/" type=PATH msg=audit(1144449056.928:11): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449056.928:11): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449056.952:12): avc: denied { read write } for pid=2085 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449056.952:12): arch=40000003 syscall=11 success=yes exit=0 a0=8a60ee8 a1=8a610c0 a2=8a55b90 a3=8a60de0 items=2 pid=2085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449056.952:12): path="socket:[7118]" type=CWD msg=audit(1144449056.952:12): cwd="/" type=PATH msg=audit(1144449056.952:12): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449056.952:12): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.248:13): avc: denied { read write } for pid=2099 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.248:13): arch=40000003 syscall=11 success=yes exit=0 a0=8a61040 a1=8a61c78 a2=8a55b90 a3=8a60680 items=2 pid=2099 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.248:13): path="socket:[7118]" type=CWD msg=audit(1144449057.248:13): cwd="/" type=PATH msg=audit(1144449057.248:13): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.248:13): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.260:14): avc: denied { read write } for pid=2100 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.260:14): arch=40000003 syscall=11 success=yes exit=0 a0=8a61788 a1=8a60b88 a2=8a55b90 a3=8a61108 items=2 pid=2100 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.260:14): path="socket:[7118]" type=CWD msg=audit(1144449057.260:14): cwd="/" type=PATH msg=audit(1144449057.260:14): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.260:14): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.268:15): avc: denied { read write } for pid=2102 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.268:15): arch=40000003 syscall=11 success=yes exit=0 a0=8a60a58 a1=8a61580 a2=8a55b90 a3=8a60ee8 items=2 pid=2102 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.268:15): path="socket:[7118]" type=CWD msg=audit(1144449057.268:15): cwd="/" type=PATH msg=audit(1144449057.268:15): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.268:15): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.340:16): avc: denied { read write } for pid=2111 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.340:16): arch=40000003 syscall=11 success=yes exit=0 a0=8a60a58 a1=8a50510 a2=8a55b90 a3=8a62178 items=2 pid=2111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.340:16): path="socket:[7118]" type=CWD msg=audit(1144449057.340:16): cwd="/" type=PATH msg=audit(1144449057.340:16): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.340:16): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.348:17): avc: denied { read write } for pid=2113 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.348:17): arch=40000003 syscall=11 success=yes exit=0 a0=8a60a58 a1=8a50510 a2=8a55b90 a3=8a62018 items=2 pid=2113 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.348:17): path="socket:[7118]" type=CWD msg=audit(1144449057.348:17): cwd="/" type=PATH msg=audit(1144449057.348:17): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.348:17): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.368:18): avc: denied { read write } for pid=2118 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.368:18): arch=40000003 syscall=11 success=yes exit=0 a0=91b5b68 a1=91b6040 a2=91b5f28 a3=91b5890 items=2 pid=2118 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.368:18): path="socket:[7118]" type=CWD msg=audit(1144449057.368:18): cwd="/" type=PATH msg=audit(1144449057.368:18): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.368:18): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.380:19): avc: denied { read write } for pid=2119 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.380:19): arch=40000003 syscall=11 success=yes exit=0 a0=8a60a58 a1=8a50400 a2=8a55b90 a3=8a61fb0 items=2 pid=2119 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.380:19): path="socket:[7118]" type=CWD msg=audit(1144449057.380:19): cwd="/" type=PATH msg=audit(1144449057.380:19): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.380:19): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.592:20): avc: denied { read write } for pid=2162 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.592:20): arch=40000003 syscall=11 success=yes exit=0 a0=8927090 a1=89255a0 a2=89026c8 a3=8921b30 items=2 pid=2162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.592:20): path="socket:[7118]" type=CWD msg=audit(1144449057.592:20): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449057.592:20): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.592:20): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.632:21): avc: denied { read write } for pid=2169 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.632:21): arch=40000003 syscall=11 success=yes exit=0 a0=8925ab0 a1=88ff1a0 a2=8901910 a3=89013e8 items=2 pid=2169 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.632:21): path="socket:[7118]" type=CWD msg=audit(1144449057.632:21): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449057.632:21): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.632:21): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.640:22): avc: denied { read write } for pid=2170 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.640:22): arch=40000003 syscall=11 success=yes exit=0 a0=8927110 a1=88ff1a0 a2=8901910 a3=8900bb0 items=2 pid=2170 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.640:22): path="socket:[7118]" type=CWD msg=audit(1144449057.640:22): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449057.640:22): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.640:22): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.660:23): avc: denied { read write } for pid=2173 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.660:23): arch=40000003 syscall=11 success=yes exit=0 a0=8925558 a1=8925588 a2=8902810 a3=8925720 items=2 pid=2173 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.660:23): path="socket:[7118]" type=CWD msg=audit(1144449057.660:23): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449057.660:23): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.660:23): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.720:24): avc: denied { read write } for pid=2187 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.720:24): arch=40000003 syscall=11 success=yes exit=0 a0=99f1560 a1=99f1440 a2=99de528 a3=99e20e8 items=2 pid=2187 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.720:24): path="socket:[7118]" type=CWD msg=audit(1144449057.720:24): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449057.720:24): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.720:24): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.732:25): avc: denied { read write } for pid=2189 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.732:25): arch=40000003 syscall=11 success=yes exit=0 a0=99de678 a1=99f1440 a2=99e1100 a3=99f2b60 items=2 pid=2189 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.732:25): path="socket:[7118]" type=CWD msg=audit(1144449057.732:25): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449057.732:25): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.732:25): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.740:26): avc: denied { read write } for pid=2192 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.740:26): arch=40000003 syscall=11 success=yes exit=0 a0=99e14b8 a1=99e16f0 a2=99e1a80 a3=99e1a70 items=2 pid=2192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.740:26): path="socket:[7118]" type=CWD msg=audit(1144449057.740:26): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449057.740:26): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.740:26): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.760:27): avc: denied { read write } for pid=2196 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.760:27): arch=40000003 syscall=11 success=yes exit=0 a0=8a60a58 a1=8a608a0 a2=8a55b90 a3=8a612e8 items=2 pid=2196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.760:27): path="socket:[7118]" type=CWD msg=audit(1144449057.760:27): cwd="/" type=PATH msg=audit(1144449057.760:27): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.760:27): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.772:28): avc: denied { read write } for pid=2197 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.772:28): arch=40000003 syscall=11 success=yes exit=0 a0=8a61fa0 a1=8a608a0 a2=8a55b90 a3=8a612b8 items=2 pid=2197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.772:28): path="socket:[7118]" type=CWD msg=audit(1144449057.772:28): cwd="/" type=PATH msg=audit(1144449057.772:28): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.772:28): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.772:29): avc: denied { read write } for pid=2198 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.772:29): arch=40000003 syscall=11 success=yes exit=0 a0=8a61f68 a1=8a50318 a2=8a55b90 a3=8a61288 items=2 pid=2198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.772:29): path="socket:[7118]" type=CWD msg=audit(1144449057.772:29): cwd="/" type=PATH msg=audit(1144449057.772:29): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.772:29): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.772:30): avc: denied { read write } for pid=2199 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.772:30): arch=40000003 syscall=11 success=yes exit=0 a0=8a621d0 a1=8a608a0 a2=8a55b90 a3=8a61228 items=2 pid=2199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.772:30): path="socket:[7118]" type=CWD msg=audit(1144449057.772:30): cwd="/" type=PATH msg=audit(1144449057.772:30): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.772:30): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.780:31): avc: denied { read write } for pid=2200 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.780:31): arch=40000003 syscall=11 success=yes exit=0 a0=8a62178 a1=8a61368 a2=8a55b90 a3=8a61600 items=2 pid=2200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.780:31): path="socket:[7118]" type=CWD msg=audit(1144449057.780:31): cwd="/" type=PATH msg=audit(1144449057.780:31): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.780:31): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.792:32): avc: denied { read write } for pid=2201 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.792:32): arch=40000003 syscall=11 success=yes exit=0 a0=8a621f0 a1=8a50318 a2=8a55b90 a3=8a61198 items=2 pid=2201 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.792:32): path="socket:[7118]" type=CWD msg=audit(1144449057.792:32): cwd="/" type=PATH msg=audit(1144449057.792:32): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.792:32): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.812:33): avc: denied { read write } for pid=2205 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.812:33): arch=40000003 syscall=11 success=yes exit=0 a0=8a60f18 a1=8a61b60 a2=8a55b90 a3=8a61138 items=2 pid=2205 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.812:33): path="socket:[7118]" type=CWD msg=audit(1144449057.812:33): cwd="/" type=PATH msg=audit(1144449057.812:33): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.812:33): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.812:34): avc: denied { read write } for pid=2206 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.812:34): arch=40000003 syscall=11 success=yes exit=0 a0=8a61798 a1=8a61b60 a2=8a55b90 a3=8a61788 items=2 pid=2206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.812:34): path="socket:[7118]" type=CWD msg=audit(1144449057.812:34): cwd="/" type=PATH msg=audit(1144449057.812:34): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.812:34): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.820:35): avc: denied { read write } for pid=2207 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.820:35): arch=40000003 syscall=11 success=yes exit=0 a0=8a611f8 a1=8a61b60 a2=8a55b90 a3=8a61040 items=2 pid=2207 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449057.820:35): path="socket:[7118]" type=CWD msg=audit(1144449057.820:35): cwd="/" type=PATH msg=audit(1144449057.820:35): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.820:35): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449057.864:36): avc: denied { read write } for pid=2209 comm="ifconfig" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449057.864:36): arch=40000003 syscall=11 success=yes exit=0 a0=8a61fe8 a1=8a61558 a2=8a55b90 a3=8a62398 items=2 pid=2209 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifconfig" exe="/sbin/ifconfig" type=AVC_PATH msg=audit(1144449057.864:36): path="socket:[7118]" type=CWD msg=audit(1144449057.864:36): cwd="/" type=PATH msg=audit(1144449057.864:36): item=0 name="/sbin/ifconfig" flags=101 inode=102062 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449057.864:36): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.020:37): avc: denied { read write } for pid=2241 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.020:37): arch=40000003 syscall=11 success=yes exit=0 a0=98b0180 a1=988cf58 a2=988b760 a3=98b0080 items=2 pid=2241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449058.020:37): path="socket:[7118]" type=CWD msg=audit(1144449058.020:37): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.020:37): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.020:37): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.040:38): avc: denied { read write } for pid=2247 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.040:38): arch=40000003 syscall=11 success=yes exit=0 a0=98ae860 a1=988cf58 a2=988b810 a3=98ae598 items=2 pid=2247 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449058.040:38): path="socket:[7118]" type=CWD msg=audit(1144449058.040:38): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.040:38): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.040:38): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.052:39): avc: denied { read write } for pid=2249 comm="iwconfig" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.052:39): arch=40000003 syscall=11 success=yes exit=0 a0=98a95d8 a1=98aca10 a2=988b760 a3=98ab010 items=2 pid=2249 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="iwconfig" exe="/sbin/iwconfig" type=AVC_PATH msg=audit(1144449058.052:39): path="socket:[7118]" type=CWD msg=audit(1144449058.052:39): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.052:39): item=0 name="/sbin/iwconfig" flags=101 inode=102068 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.052:39): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.072:40): avc: denied { read write } for pid=2251 comm="ethtool" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.072:40): arch=40000003 syscall=11 success=yes exit=0 a0=988a6a0 a1=988e7c8 a2=988a9a8 a3=98ae9c8 items=2 pid=2251 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ethtool" exe="/sbin/ethtool" type=AVC_PATH msg=audit(1144449058.072:40): path="socket:[7118]" type=CWD msg=audit(1144449058.072:40): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.072:40): item=0 name="/sbin/ethtool" flags=101 inode=102186 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.072:40): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.080:41): avc: denied { read write } for pid=2254 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.080:41): arch=40000003 syscall=11 success=yes exit=0 a0=98b4628 a1=98871a0 a2=988a9a8 a3=98b3a10 items=2 pid=2254 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449058.080:41): path="socket:[7118]" type=CWD msg=audit(1144449058.080:41): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.080:41): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.080:41): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.092:42): avc: denied { read write } for pid=2255 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.092:42): arch=40000003 syscall=11 success=yes exit=0 a0=98b3a10 a1=98b4190 a2=9887310 a3=98b3ab0 items=2 pid=2255 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449058.092:42): path="socket:[7118]" type=CWD msg=audit(1144449058.092:42): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.092:42): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.092:42): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.100:43): avc: denied { getattr } for pid=2214 comm="ifup-eth" name="arping" dev=hda2 ino=99965 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=SYSCALL msg=audit(1144449058.100:43): arch=40000003 syscall=195 success=no exit=-13 a0=988a498 a1=bf874d10 a2=5fdff4 a3=988a498 items=1 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifup-eth" exe="/bin/bash" type=AVC_PATH msg=audit(1144449058.100:43): path="/sbin/arping" type=CWD msg=audit(1144449058.100:43): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.100:43): item=0 name="/sbin/arping" flags=1 inode=99965 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.100:44): avc: denied { getattr } for pid=2214 comm="ifup-eth" name="arping" dev=hda2 ino=99965 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=SYSCALL msg=audit(1144449058.100:44): arch=40000003 syscall=195 success=no exit=-13 a0=988a498 a1=bf874d10 a2=5fdff4 a3=988a498 items=1 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifup-eth" exe="/bin/bash" type=AVC_PATH msg=audit(1144449058.100:44): path="/sbin/arping" type=CWD msg=audit(1144449058.100:44): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.100:44): item=0 name="/usr/sbin/arping" flags=1 inode=99965 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.120:45): avc: denied { read write } for pid=2262 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.120:45): arch=40000003 syscall=11 success=yes exit=0 a0=98b4070 a1=98871a0 a2=988a9a8 a3=98b4060 items=2 pid=2262 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449058.120:45): path="socket:[7118]" type=CWD msg=audit(1144449058.120:45): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.120:45): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.120:45): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.120:46): avc: denied { read write } for pid=2263 comm="ethtool" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.120:46): arch=40000003 syscall=11 success=yes exit=0 a0=9889960 a1=98b27d0 a2=988a9a8 a3=98b3398 items=2 pid=2263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ethtool" exe="/sbin/ethtool" type=AVC_PATH msg=audit(1144449058.120:46): path="socket:[7118]" type=CWD msg=audit(1144449058.120:46): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.120:46): item=0 name="/sbin/ethtool" flags=101 inode=102186 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.120:46): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.132:47): avc: denied { read write } for pid=2265 comm="ip" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.132:47): arch=40000003 syscall=11 success=yes exit=0 a0=98b36a8 a1=98871a0 a2=988a9a8 a3=98b3658 items=2 pid=2265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC_PATH msg=audit(1144449058.132:47): path="socket:[7118]" type=CWD msg=audit(1144449058.132:47): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.132:47): item=0 name="/sbin/ip" flags=101 inode=102202 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.132:47): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449058.200:48): avc: denied { read write } for pid=2279 comm="ifconfig" name="[7118]" dev=sockfs ino=7118 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1144449058.200:48): arch=40000003 syscall=11 success=yes exit=0 a0=9c020b8 a1=9c01618 a2=9beea80 a3=9c014f8 items=2 pid=2279 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifconfig" exe="/sbin/ifconfig" type=AVC_PATH msg=audit(1144449058.200:48): path="socket:[7118]" type=CWD msg=audit(1144449058.200:48): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449058.200:48): item=0 name="/sbin/ifconfig" flags=101 inode=102062 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1144449058.200:48): item=1 flags=101 inode=1298196 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449060.120:49): avc: denied { getattr } for pid=2258 comm="ifup-eth" name="arping" dev=hda2 ino=99965 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=SYSCALL msg=audit(1144449060.120:49): arch=40000003 syscall=195 success=no exit=-13 a0=988a498 a1=bf874a90 a2=5fdff4 a3=988a498 items=1 pid=2258 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifup-eth" exe="/bin/bash" type=AVC_PATH msg=audit(1144449060.120:49): path="/sbin/arping" type=CWD msg=audit(1144449060.120:49): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449060.120:49): item=0 name="/sbin/arping" flags=1 inode=99965 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1144449060.120:50): avc: denied { getattr } for pid=2258 comm="ifup-eth" name="arping" dev=hda2 ino=99965 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=SYSCALL msg=audit(1144449060.120:50): arch=40000003 syscall=195 success=no exit=-13 a0=988a498 a1=bf874a90 a2=5fdff4 a3=988a498 items=1 pid=2258 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifup-eth" exe="/bin/bash" type=AVC_PATH msg=audit(1144449060.120:50): path="/sbin/arping" type=CWD msg=audit(1144449060.120:50): cwd="/etc/sysconfig/network-scripts" type=PATH msg=audit(1144449060.120:50): item=0 name="/usr/sbin/arping" flags=1 inode=99965 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 Bob -- Bob Kashani http://www.gnome.org/~bobk/ From mroselinux at eastgranby.k12.ct.us Sat Apr 8 00:43:46 2006 From: mroselinux at eastgranby.k12.ct.us (mroselinux at eastgranby.k12.ct.us) Date: Fri, 7 Apr 2006 20:43:46 -0400 (EDT) Subject: [FC5] rsyncd invocation from rc.local Message-ID: <1798.24.2.210.202.1144457026.squirrel@mail.eastgranby.k12.ct.us> I am migrating a samba server from FC3 to FC5. I did a fresh install and have run into an SELINUX policy issue. I have no problem logging on as root and typing in rsync --daemon, but when I insert the same line at the end of /etc/rc.d/rc.local and reboot, then /var/log/messages shows the following (with other stuff edited out). ---------------------------------------------------------------------- Apr 7 20:18:50 localhost kernel: hub 2-0:1.0: USB hub found Apr 7 20:18:50 localhost rsyncd[2062]: rsync: failed to open log-file /var/log/rsyncd.log: Permission denied (13) Apr 7 20:18:50 localhost rsyncd[2062]: Ignoring "log file" setting. Apr 7 20:18:50 localhost rsyncd[2062]: rsyncd version 2.6.6 starting, listening on port 873 Apr 7 20:18:50 localhost rsyncd[2062]: unable to bind any inbound sockets on port 873 Apr 7 20:18:50 localhost rsyncd[2062]: rsync error: error in socket IO (code 10) at socket.c(448) Apr 7 20:18:53 localhost kernel: SELinux: initialized (dev autofs, type autofs), uses genfs_contexts Apr 7 20:18:53 localhost kernel: ppdev: user-space parallel port driver Apr 7 20:18:53 localhost kernel: audit(1144455530.173:2): avc: denied { use } for pid=2061 comm="rsync" name="0" dev=devpts ino=2 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd Apr 7 20:18:53 localhost kernel: audit(1144455530.173:3): avc: denied { use } for pid=2061 comm="rsync" name="0" dev=devpts ino=2 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd Apr 7 20:18:53 localhost kernel: audit(1144455530.173:4): avc: denied { use } for pid=2061 comm="rsync" name="0" dev=devpts ino=2 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd Apr 7 20:18:53 localhost kernel: audit(1144455530.593:5): avc: denied { search } for pid=2062 comm="rsync" name="log" dev=dm-0 ino=3309596 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir Apr 7 20:18:53 localhost kernel: audit(1144455530.645:6): avc: denied { name_bind } for pid=2062 comm="rsync" src=873 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket Apr 7 20:18:53 localhost kernel: audit(1144455530.645:7): avc: denied { name_bind } for pid=2062 comm="rsync" src=873 scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket Apr 7 20:18:53 localhost kernel: [drm] Initialized drm 1.0.1 20051102 Apr 7 20:18:53 localhost kernel: ACPI: PCI Interrupt 0000:00:02.0[A] -> GSI 16 (level, low) -> IRQ 19 Apr 7 20:18:53 localhost kernel: [drm] Initialized i915 1.4.0 20060119 on minor 0 Apr 7 20:21:39 localhost gconfd (root-2295): starting (version 2.14.0), pid 2295 user 'root' Apr 7 20:21:39 localhost gconfd (root-2295): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Apr 7 20:21:39 localhost gconfd (root-2295): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1 Apr 7 20:21:39 localhost gconfd (root-2295): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Apr 7 20:21:40 localhost gconfd (root-2295): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 0 Apr 7 20:21:41 localhost kernel: audit(1144455701.420:8): avc: denied { use } for pid=2330 comm="bluez-pin" name="[7435]" dev=pipefs ino=7435 scontext=root:system_r:bluetooth_helper_t:s0-s0:c0.c255 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd Apr 7 20:21:41 localhost kernel: audit(1144455701.420:9): avc: denied { use } for pid=2330 comm="bluez-pin" name="[7435]" dev=pipefs ino=7435 scontext=root:system_r:bluetooth_helper_t:s0-s0:c0.c255 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd ------------------------------------------------------------------------------ What do I need to do to allow rsync --daemon from within /etc/rc.d/rc.local? Mark Orenstein East Granby (CT) School System From mroselinux at eastgranby.k12.ct.us Sat Apr 8 01:24:21 2006 From: mroselinux at eastgranby.k12.ct.us (mroselinux at eastgranby.k12.ct.us) Date: Fri, 7 Apr 2006 21:24:21 -0400 (EDT) Subject: [FC5] New Partition help Message-ID: <1830.24.2.210.202.1144459461.squirrel@mail.eastgranby.k12.ct.us> As I indicated in a previous message, I am migrating a samba server from FC3 to FC5 and have run into another SELINUX policy issue. I have a second hard drive with a single ext3 partition that I primarly use for backups. It is labeled /backup. I did a mkdir /backup and entered the appropriate line into fstab. When I reboot, I get the following ----------------------------------------------------------------------- Apr 7 21:08:11 localhost kernel: audit(1144458480.400:2): avc: denied { getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Apr 7 21:08:11 localhost kernel: audit(1144458480.444:3): avc: denied { getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Apr 7 21:08:11 localhost kernel: audit(1144458480.516:4): avc: denied { getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir -------------------------------------------------------------------------- What do I need to do to support the /backup partition with SELINUX? Mark Orenstein East Granby (CT) School System From bobk at ocf.berkeley.edu Sat Apr 8 01:55:02 2006 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 07 Apr 2006 18:55:02 -0700 Subject: [FC5] New Partition help In-Reply-To: <1830.24.2.210.202.1144459461.squirrel@mail.eastgranby.k12.ct.us> References: <1830.24.2.210.202.1144459461.squirrel@mail.eastgranby.k12.ct.us> Message-ID: <1144461302.2169.4.camel@chaucer> On Fri, 2006-04-07 at 21:24 -0400, mroselinux at eastgranby.k12.ct.us wrote: > As I indicated in a previous message, I am migrating a samba server from > FC3 to FC5 and have run into another SELINUX policy issue. I have a > second hard drive with a single ext3 partition that I primarly use for > backups. It is labeled /backup. I did a mkdir /backup and entered the > appropriate line into fstab. When I reboot, I get the following > > ----------------------------------------------------------------------- > > Apr 7 21:08:11 localhost kernel: audit(1144458480.400:2): avc: denied { > getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 > scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 > tclass=dir > Apr 7 21:08:11 localhost kernel: audit(1144458480.444:3): avc: denied { > getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 > scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 > tclass=dir > Apr 7 21:08:11 localhost kernel: audit(1144458480.516:4): avc: denied { > getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 > scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 > tclass=dir > > -------------------------------------------------------------------------- > > What do I need to do to support the /backup partition with SELINUX? I have the same setup. :) Mine is labeled root_t it seems. [medieval at chaucer ~]$ ls -Zd /mnt/hdb1 drwxr-xr-x root root system_u:object_r:root_t /mnt/hdb1 Try this: chcon -t root_t /mnt/hdb1 See if that helps. You can also do a "restorecon -R /mnt/hdb1" too I think. Bob -- Bob Kashani http://www.gnome.org/~bobk/ From mroselinux at eastgranby.k12.ct.us Sat Apr 8 20:04:54 2006 From: mroselinux at eastgranby.k12.ct.us (mroselinux at eastgranby.k12.ct.us) Date: Sat, 8 Apr 2006 16:04:54 -0400 (EDT) Subject: [FC5] New Partition help In-Reply-To: <1144461302.2169.4.camel@chaucer> References: <1830.24.2.210.202.1144459461.squirrel@mail.eastgranby.k12.ct.us> <1144461302.2169.4.camel@chaucer> Message-ID: <49972.24.2.210.202.1144526694.squirrel@mail.eastgranby.k12.ct.us> > On Fri, 2006-04-07 at 21:24 -0400, mroselinux at eastgranby.k12.ct.us > wrote: >> As I indicated in a previous message, I am migrating a samba server from >> FC3 to FC5 and have run into another SELINUX policy issue. I have a >> second hard drive with a single ext3 partition that I primarly use for >> backups. It is labeled /backup. I did a mkdir /backup and entered the >> appropriate line into fstab. When I reboot, I get the following >> >> ----------------------------------------------------------------------- >> >> Apr 7 21:08:11 localhost kernel: audit(1144458480.400:2): avc: denied >> { >> getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 >> scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:file_t:s0 >> tclass=dir >> Apr 7 21:08:11 localhost kernel: audit(1144458480.444:3): avc: denied >> { >> getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 >> scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:file_t:s0 >> tclass=dir >> Apr 7 21:08:11 localhost kernel: audit(1144458480.516:4): avc: denied >> { >> getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 >> scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:file_t:s0 >> tclass=dir >> >> -------------------------------------------------------------------------- >> >> What do I need to do to support the /backup partition with SELINUX? > > I have the same setup. :) Mine is labeled root_t it seems. > > [medieval at chaucer ~]$ ls -Zd /mnt/hdb1 > drwxr-xr-x root root system_u:object_r:root_t /mnt/hdb1 > > Try this: > > chcon -t root_t /mnt/hdb1 > > See if that helps. You can also do a "restorecon -R /mnt/hdb1" too I > think. > > Bob > > -- > Bob Kashani > http://www.gnome.org/~bobk/ > > Hi Bob, Thanks for the reply. My setup must be somewhat different from yours because my second HD is /dev/hdb2. In any event, here is screen copy of what I tried. [root at localhost ~]# ls -Zd /mnt/hdb1 ls: /mnt/hdb1: No such file or directory [root at localhost ~]# ls -Zd /mnt/hdb1 ls: /mnt/hdb1: No such file or directory [root at localhost ~]# ls -Zd /dev/hdb1 brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/hdb1 [root at localhost ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/VolGroup00-LogVol00 17775388 2423964 14433920 15% / /dev/hda1 101086 14054 81813 15% /boot /dev/hdb1 19243740 176288 18089900 1% /backup tmpfs 257324 0 257324 0% /dev/shm [root at localhost ~]# ls -Zd /backup drwxr-xr-x root root system_u:object_r:file_t /backup [root at localhost ~]# restorecon /backup [root at localhost ~]# ls -Zd /backup drwxr-xr-x root root system_u:object_r:default_t /backup [root at localhost ~]# chcon -t root_t /backup [root at localhost ~]# ls -Zd /backup drwxr-xr-x root root system_u:object_r:root_t /backup [root at localhost ~]# After the chcon and rebooting the system, the HAL denied messages did not occur. I still have more experimenting to do with data under /backup. Regards, Mark From citizenx at devia.org Sun Apr 9 09:49:29 2006 From: citizenx at devia.org (Tor Arne Thune) Date: Sun, 09 Apr 2006 11:49:29 +0200 Subject: SELinux blocking something related to camera Message-ID: <4438D8A9.9030107@devia.org> Hi. I am having some trouble accessing my Canon EOS 10D camera through digikam as non-root. SELinux seems to be blocking something. When I turn the camera on I get these messages in /var/log/messages: Apr 9 10:34:43 ranger kernel: usb 2-1: new full speed USB device using uhci_hcd and address 2 Apr 9 10:34:44 ranger kernel: usb 2-1: configuration #1 chosen from 1 choice Apr 9 10:34:44 ranger kernel: audit(1144571684.462:10): avc: denied { search } for pid=21743 comm="cat" name="console" dev=dm-0 ino=1474652 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pam_var_console_t:s0 tclass=dir Apr 9 10:37:03 ranger kernel: usb 2-1: USB disconnect, address 2 What should I disable in the SELinux policy to make this work? Any thoughts are greatly appreciated. From paul at city-fan.org Sun Apr 9 11:15:00 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 09 Apr 2006 12:15:00 +0100 Subject: SELinux blocking something related to camera In-Reply-To: <4438D8A9.9030107@devia.org> References: <4438D8A9.9030107@devia.org> Message-ID: <1144581301.9865.106.camel@laurel.intra.city-fan.org> On Sun, 2006-04-09 at 11:49 +0200, Tor Arne Thune wrote: > Hi. > I am having some trouble accessing my Canon EOS 10D camera through > digikam as non-root. SELinux seems to be blocking something. When I turn > the camera on I get these messages in /var/log/messages: > Apr 9 10:34:43 ranger kernel: usb 2-1: new full speed USB device using > uhci_hcd and address 2 > Apr 9 10:34:44 ranger kernel: usb 2-1: configuration #1 chosen from 1 > choice > Apr 9 10:34:44 ranger kernel: audit(1144571684.462:10): avc: denied { > search } for pid=21743 comm="cat" name="console" dev=dm-0 ino=1474652 > scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:pam_var_console_t:s0 tclass=dir > Apr 9 10:37:03 ranger kernel: usb 2-1: USB disconnect, address 2 > > What should I disable in the SELinux policy to make this work? Any > thoughts are greatly appreciated. FWIW, you're not the only digikam user to experience this: http://www.redhat.com/archives/fedora-list/2006-April/msg01718.html Paul. From paul at city-fan.org Sun Apr 9 13:47:05 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 09 Apr 2006 14:47:05 +0100 Subject: [FC5] rsyncd invocation from rc.local In-Reply-To: <1798.24.2.210.202.1144457026.squirrel@mail.eastgranby.k12.ct.us> References: <1798.24.2.210.202.1144457026.squirrel@mail.eastgranby.k12.ct.us> Message-ID: <1144590426.9865.132.camel@laurel.intra.city-fan.org> On Fri, 2006-04-07 at 20:43 -0400, mroselinux at eastgranby.k12.ct.us wrote: > I am migrating a samba server from FC3 to FC5. I did a fresh install and > have run into an SELINUX policy issue. I have no problem logging on as > root and typing in rsync --daemon, but when I insert the same line at the > end of /etc/rc.d/rc.local and reboot, then /var/log/messages shows the > following (with other stuff edited out). > > ---------------------------------------------------------------------- > > > Apr 7 20:18:50 localhost kernel: hub 2-0:1.0: USB hub found > Apr 7 20:18:50 localhost rsyncd[2062]: rsync: failed to open log-file > /var/log/rsyncd.log: Permission denied (13) > Apr 7 20:18:50 localhost rsyncd[2062]: Ignoring "log file" setting. > Apr 7 20:18:50 localhost rsyncd[2062]: rsyncd version 2.6.6 starting, > listening on port 873 > Apr 7 20:18:50 localhost rsyncd[2062]: unable to bind any inbound sockets > on port 873 > Apr 7 20:18:50 localhost rsyncd[2062]: rsync error: error in socket IO > (code 10) at socket.c(448) > Apr 7 20:18:53 localhost kernel: SELinux: initialized (dev autofs, type > autofs), uses genfs_contexts > Apr 7 20:18:53 localhost kernel: ppdev: user-space parallel port driver > Apr 7 20:18:53 localhost kernel: audit(1144455530.173:2): avc: denied { > use } for pid=2061 comm="rsync" name="0" dev=devpts ino=2 > scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:system_r:init_t:s0 > tclass=fd > Apr 7 20:18:53 localhost kernel: audit(1144455530.173:3): avc: denied { > use } for pid=2061 comm="rsync" name="0" dev=devpts ino=2 > scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:system_r:init_t:s0 > tclass=fd > Apr 7 20:18:53 localhost kernel: audit(1144455530.173:4): avc: denied { > use } for pid=2061 comm="rsync" name="0" dev=devpts ino=2 > scontext=system_u:system_r:rsync_t:s0 tcontext=system_u:system_r:init_t:s0 > tclass=fd > Apr 7 20:18:53 localhost kernel: audit(1144455530.593:5): avc: denied { > search } for pid=2062 comm="rsync" name="log" dev=dm-0 ino=3309596 > scontext=system_u:system_r:rsync_t:s0 > tcontext=system_u:object_r:var_log_t:s0 tclass=dir > Apr 7 20:18:53 localhost kernel: audit(1144455530.645:6): avc: denied { > name_bind } for pid=2062 comm="rsync" src=873 > scontext=system_u:system_r:rsync_t:s0 > tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket > Apr 7 20:18:53 localhost kernel: audit(1144455530.645:7): avc: denied { > name_bind } for pid=2062 comm="rsync" src=873 > scontext=system_u:system_r:rsync_t:s0 > tcontext=system_u:object_r:rsync_port_t:s0 tclass=tcp_socket The rsync policy appears to assume that rsyncd will run from xinetd rather than using daemon mode. Not allowing rsync_t to bind to rsync_port_t does look like a bit of an omission... Paul. From gauret at free.fr Sun Apr 9 13:55:45 2006 From: gauret at free.fr (Aurelien Bompard) Date: Sun, 09 Apr 2006 15:55:45 +0200 Subject: SELinux support in awstats RPM Message-ID: Hi you SELinux gurus :) I'm trying to add SELinux support to my rpm of awstats in Extras. Awstats is a perl CGI script which analyses the webserver's logs (and other logs). It stores its (text-based) databases in /var/lib/awstats, and the cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an alias in an httpd conf file to make it visible from /awstats/ from the web. For the FC5 package, I've added two semanage calls in %pre to set the correct types on the cgi and the databases dir. Before committing and requesting a build, I'd like to make sure with you that I'm not doing something dangerous, since I'm rather new to SELinux. Here's the diff : --- awstats.spec 23 Feb 2006 10:17:11 -0000 1.10 +++ awstats.spec 9 Apr 2006 13:50:38 -0000 @@ -13,6 +13,7 @@ Requires: perl Requires(post): perl Requires(postun): /sbin/service +Requires(pre): policycoreutils %description Advanced Web Statistics is a powerful and featureful tool that generates @@ -112,6 +113,14 @@ %clean rm -rf $RPM_BUILD_ROOT + +%pre +# Set SELinux types +semanage fcontext -a -t httpd_sys_script_exec_t \ + '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || : +semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?' 2>/dev/null || : + + %post if [ $1 -eq 1 ]; then if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then Does it look correct to you ? If I run semanage in %pre, I should not need to run restorecon on /var/lib/awstats and on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ? Is there a better/cleaner way to do it ? This is a rather common case IMHO, so if we all agree I think it would be worth having as an example on the Fedora wiki. Thanks. Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "You do not really understand something unless you can explain it to your grandmother." -- Albert Einstein From paul at city-fan.org Sun Apr 9 14:21:38 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 09 Apr 2006 15:21:38 +0100 Subject: SELinux support in awstats RPM In-Reply-To: References: Message-ID: <1144592498.9865.143.camel@laurel.intra.city-fan.org> On Sun, 2006-04-09 at 15:55 +0200, Aurelien Bompard wrote: > Hi you SELinux gurus :) > > I'm trying to add SELinux support to my rpm of awstats in Extras. > Awstats is a perl CGI script which analyses the webserver's logs (and other > logs). It stores its (text-based) databases in /var/lib/awstats, and the > cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an > alias in an httpd conf file to make it visible from /awstats/ from the web. > > For the FC5 package, I've added two semanage calls in %pre to set the > correct types on the cgi and the databases dir. > Before committing and requesting a build, I'd like to make sure with you > that I'm not doing something dangerous, since I'm rather new to SELinux. > Here's the diff : > --- awstats.spec 23 Feb 2006 10:17:11 -0000 1.10 > +++ awstats.spec 9 Apr 2006 13:50:38 -0000 > @@ -13,6 +13,7 @@ > Requires: perl > Requires(post): perl > Requires(postun): /sbin/service > +Requires(pre): policycoreutils > > %description > Advanced Web Statistics is a powerful and featureful tool that generates > @@ -112,6 +113,14 @@ > %clean > rm -rf $RPM_BUILD_ROOT > > + > +%pre > +# Set SELinux types > +semanage fcontext -a -t httpd_sys_script_exec_t \ > + '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || : > +semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?' > 2>/dev/null || : > + > + > %post > if [ $1 -eq 1 ]; then > if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then > > > Does it look correct to you ? If I run semanage in %pre, I should not need > to run restorecon on /var/lib/awstats and > on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ? > > Is there a better/cleaner way to do it ? > This is a rather common case IMHO, so if we all agree I think it would be > worth having as an example on the Fedora wiki. There was some discussion on local policy tweaks in packages last month (OK, I made a post and Stephen replied...): http://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00052.html The suggestion there was for a separate -policy subpackage but I think handling context changes in %pre should be OK. Shouldn't you remove the local policy customisation in %postun though? Paul. From mroselinux at eastgranby.k12.ct.us Sun Apr 9 14:47:29 2006 From: mroselinux at eastgranby.k12.ct.us (mroselinux at eastgranby.k12.ct.us) Date: Sun, 9 Apr 2006 10:47:29 -0400 (EDT) Subject: samba smb.conf utmp parameter In-Reply-To: <1144592498.9865.143.camel@laurel.intra.city-fan.org> References: <1144592498.9865.143.camel@laurel.intra.city-fan.org> Message-ID: <34840.24.2.210.202.1144594049.squirrel@mail.eastgranby.k12.ct.us> I am almost successfully using samba with selinux. I have run into a problem with the smb.conf utmp parameter which causes login/logout information to be written so commands such as who and last will display samba users. With utmp enabled, I am getting the following in /var/log/messages. Apr 9 10:36:21 localhost kernel: audit(1144593381.511:447): avc: denied { read write } for pid=3934 comm="smbd" name="utmp" dev=dm-0 ino=3309575 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Apr 9 10:36:21 localhost kernel: audit(1144593381.511:448): avc: denied { read } for pid=3934 comm="smbd" name="utmp" dev=dm-0 ino=3309575 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Apr 9 10:36:21 localhost kernel: audit(1144593381.511:449): avc: denied { read write } for pid=3934 comm="smbd" name="utmp" dev=dm-0 ino=3309575 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Apr 9 10:36:21 localhost kernel: audit(1144593381.511:450): avc: denied { read } for pid=3934 comm="smbd" name="utmp" dev=dm-0 ino=3309575 scontext=root:system_r:smbd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file I believe that the utmp file is in /var/run. What can I enter to avoid these messages per user connection and cause the logging to occur? Mark Orenstein East Granby School System From gauret at free.fr Sun Apr 9 15:02:44 2006 From: gauret at free.fr (Aurelien Bompard) Date: Sun, 09 Apr 2006 17:02:44 +0200 Subject: SELinux support in awstats RPM References: <1144592498.9865.143.camel@laurel.intra.city-fan.org> Message-ID: Paul Howarth wrote: > There was some discussion on local policy tweaks in packages last month > (OK, I made a post and Stephen replied...): > http://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00052.html Yes, I saw that, it helped me find the right command. > The suggestion there was for a separate -policy subpackage but I think > handling context changes in %pre should be OK. OK. I don't think I'll change the policy frequently for such a small package, so I don't think a separate rpm is necessary in this particular case. > Shouldn't you remove the local policy customisation in %postun though? Well, I wonder. The database files will be left over after uninstall, because we don't want to loose that data, so should I not leave the proper file context definition as well ? I guess I'll remove the customization for the cgi-bin, this one is removed. Thanks, Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr Growth for the sake of growth is the ideology of the cancer cell. From paul at city-fan.org Sun Apr 9 15:17:45 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 09 Apr 2006 16:17:45 +0100 Subject: SELinux support in awstats RPM In-Reply-To: References: <1144592498.9865.143.camel@laurel.intra.city-fan.org> Message-ID: <1144595866.9865.159.camel@laurel.intra.city-fan.org> On Sun, 2006-04-09 at 17:02 +0200, Aurelien Bompard wrote: > Paul Howarth wrote: > > Shouldn't you remove the local policy customisation in %postun though? > > Well, I wonder. The database files will be left over after uninstall, > because we don't want to loose that data, so should I not leave the proper > file context definition as well ? > I guess I'll remove the customization for the cgi-bin, this one is removed. The existing data files should all have the right context already, and they'd only lose that context if the system was relabelled. It could be a problem though if the package was deleted, the system got relabelled and then the package was reinstalled. That would leave the database files there and having the wrong context, so the newly-installed program wouldn't be able to write to them. So it's probably wise to leave that part of the policy in place as you say. Paul. From smooge at gmail.com Sun Apr 9 17:35:26 2006 From: smooge at gmail.com (Stephen J. Smoogen) Date: Sun, 9 Apr 2006 11:35:26 -0600 Subject: [FC5] New Partition help In-Reply-To: <49972.24.2.210.202.1144526694.squirrel@mail.eastgranby.k12.ct.us> References: <1830.24.2.210.202.1144459461.squirrel@mail.eastgranby.k12.ct.us> <1144461302.2169.4.camel@chaucer> <49972.24.2.210.202.1144526694.squirrel@mail.eastgranby.k12.ct.us> Message-ID: <80d7e4090604091035p16a9ed81td9b058837b618d22@mail.gmail.com> On 4/8/06, mroselinux at eastgranby.k12.ct.us wrote: > > On Fri, 2006-04-07 at 21:24 -0400, mroselinux at eastgranby.k12.ct.us > > wrote: > >> As I indicated in a previous message, I am migrating a samba server from > >> FC3 to FC5 and have run into another SELINUX policy issue. I have a > >> second hard drive with a single ext3 partition that I primarly use for > >> backups. It is labeled /backup. I did a mkdir /backup and entered the > >> appropriate line into fstab. When I reboot, I get the following > >> > >> ----------------------------------------------------------------------- > >> > >> Apr 7 21:08:11 localhost kernel: audit(1144458480.400:2): avc: denied > >> { > >> getattr } for pid=2036 comm="hald" name="/" dev=hdb1 ino=2 ^^^^^ ^^^^^ > > [medieval at chaucer ~]$ ls -Zd /mnt/hdb1 > > drwxr-xr-x root root system_u:object_r:root_t /mnt/hdb1 > > Ok what is your system layout? >From what I can tell in the below.. your VolGroup00-LogVol00 is probably on /dev/hdb1 but it is hard to tell.. > [root at localhost ~]# df > Filesystem 1K-blocks Used Available Use% Mounted on > /dev/mapper/VolGroup00-LogVol00 > 17775388 2423964 14433920 15% / > /dev/hda1 101086 14054 81813 15% /boot > /dev/hdb1 19243740 176288 18089900 1% /backup > tmpfs 257324 0 257324 0% /dev/shm Could you try the following and send the output: fdisk -l /dev/hda fdisk -l /dev/hdb That will help clear up any confusion. Next what does the command audit2allow -i /var/log/messages show in its output? I think you may be having multiple problems here.. and you will need to not literally take instructions from the list because we dont have your exact layout. In the case of the email from Bob, he was showing you what he needed to do on his system.. but that doesnt mean your system will match. Have you done a complete relabel of the system after booting? I found I needed to do this with my one FC3->FC5 system but not the other. > [root at localhost ~]# ls -Zd /backup > drwxr-xr-x root root system_u:object_r:file_t /backup > [root at localhost ~]# restorecon /backup > [root at localhost ~]# ls -Zd /backup > drwxr-xr-x root root system_u:object_r:default_t /backup > [root at localhost ~]# chcon -t root_t /backup > [root at localhost ~]# ls -Zd /backup > drwxr-xr-x root root system_u:object_r:root_t /backup > [root at localhost ~]# > > After the chcon and rebooting the system, the HAL denied messages did not > occur. I still have more experimenting to do with data under /backup. > > Regards, > Mark > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Stephen J Smoogen. CSIRT/Linux System Administrator From bench at silentmedia.com Sun Apr 9 18:31:10 2006 From: bench at silentmedia.com (Ben) Date: Sun, 9 Apr 2006 11:31:10 -0700 Subject: apache serving nfs-hosted files on FC5 Message-ID: <7BC7DEFF-0596-4EA6-B98B-0D13F382DC9A@silentmedia.com> Is there a simple boolean that lets me do this? My avc errors look like: Apr 9 11:21:50 charlotte kernel: audit(1144606910.006:153): avc: denied { search } for pid=17677 comm="httpd" name="/" dev=0:12 ino=292243 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir Apr 9 11:21:50 charlotte kernel: audit(1144606910.006:154): avc: denied { getattr } for pid=17677 comm="httpd" name="/" dev=0:12 ino=292243 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir On a related note, is there a way to see what the various booleans are supposed to be good for? From gauret at free.fr Mon Apr 10 08:36:30 2006 From: gauret at free.fr (Aurelien Bompard) Date: Mon, 10 Apr 2006 10:36:30 +0200 Subject: SELinux support in awstats RPM References: <1144592498.9865.143.camel@laurel.intra.city-fan.org> <1144595866.9865.159.camel@laurel.intra.city-fan.org> Message-ID: Yeah, well, it doesn't work. If I run semanage in %pre, the files in /usr/share/awstats/wwwroot/cgi-bin are still labelled usr_t. I've made a separate package, as advised by Stephen in your mail, which runs semanage in %pre (I tried %post too), and I have the following results : - If I install both awstats and awstats-selinux at the same time (sudo rpm -Uvh noarch/awstats-*.rpm), the files are still usr_t - If I install them separately, first awstats-selinux and then awstats, the files are labelled correctly (httpd_sys_script_exec_t) It looks like some transaction mechanism in RPM is causing the problem here. Is there a RPM guru here ? Stephen ? Dan ? What is the correct solution ? Run restorecon in %post ? Thanks for your help, Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin From paul at city-fan.org Mon Apr 10 09:32:23 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 10 Apr 2006 10:32:23 +0100 Subject: SELinux support in awstats RPM In-Reply-To: References: <1144592498.9865.143.camel@laurel.intra.city-fan.org> <1144595866.9865.159.camel@laurel.intra.city-fan.org> Message-ID: <443A2627.1020909@city-fan.org> Aurelien Bompard wrote: > Yeah, well, it doesn't work. > If I run semanage in %pre, the files in /usr/share/awstats/wwwroot/cgi-bin > are still labelled usr_t. > > I've made a separate package, as advised by Stephen in your mail, which runs > semanage in %pre (I tried %post too), and I have the following results : > > - If I install both awstats and awstats-selinux at the same time (sudo rpm > -Uvh noarch/awstats-*.rpm), the files are still usr_t > > - If I install them separately, first awstats-selinux and then awstats, the > files are labelled correctly (httpd_sys_script_exec_t) > > It looks like some transaction mechanism in RPM is causing the problem here. > Is there a RPM guru here ? Stephen ? Dan ? > > What is the correct solution ? Run restorecon in %post ? > > Thanks for your help, When you had separate packages, did you have: Requires(pre): awstats-selinux in the main awstats package? Paul. From gauret at free.fr Mon Apr 10 11:03:09 2006 From: gauret at free.fr (Aurelien Bompard) Date: Mon, 10 Apr 2006 13:03:09 +0200 Subject: SELinux support in awstats RPM References: <1144592498.9865.143.camel@laurel.intra.city-fan.org> <1144595866.9865.159.camel@laurel.intra.city-fan.org> <443A2627.1020909@city-fan.org> Message-ID: Paul Howarth wrote: > When you had separate packages, did you have: > > Requires(pre): awstats-selinux > in the main awstats package? Yes, I tried that too. Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr A: Because we read from top to bottom, left to right. Q: Why should i start my reply below the quoted text ? From dwalsh at redhat.com Sat Apr 8 14:35:54 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 08 Apr 2006 10:35:54 -0400 Subject: [FC5] rsyncd invocation from rc.local In-Reply-To: <1798.24.2.210.202.1144457026.squirrel@mail.eastgranby.k12.ct.us> References: <1798.24.2.210.202.1144457026.squirrel@mail.eastgranby.k12.ct.us> Message-ID: <4437CA4A.8080001@redhat.com> To modify local policy you can execute the following grep rsync_t /var/log/messages | audit2allow -M rsync semodule -i rsync.pp rsync wanting to listen on rsync_port_t should be allowed, that is a bug in policy. Probably can dontaudit useing init_t:fd and searching var_log_t. Will add rsync binding to rsync_port_t to policy. From mjs at ces.clemson.edu Mon Apr 10 14:17:20 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Mon, 10 Apr 2006 10:17:20 -0400 (EDT) Subject: Amanda client AVC In-Reply-To: <1144325949.6176.40.camel@moss-spartans.epoch.ncsc.mil> References: <1144325949.6176.40.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, 6 Apr 2006, Stephen Smalley wrote: > On Wed, 2006-04-05 at 18:42 -0400, Matthew Saltzman wrote: >> My amanda clients are seeing the following: >> >> kernel: audit(1144217150.855:17): avc: denied { name_bind } for >> pid=3707 comm="sendbackup" src=697 >> scontext=system_u:system_r:amanda_t:s0 >> tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket >> >> And they don't work. >> >> How to fix, please? TIA. > > port 697 is listed as uuidgen in /etc/services, so specifically mapping > it to an amanda port type and allowing amanda to bind to it seems wrong. > If this is just a result of probing for any available low port for NIS, > then the allow_ypbind boolean is likely relevant; try enabling it. That stops the denial messages, but Amanda still isn't working. It fails with "too many dumper retry". I'm not getting denials, though, so I suppose that must be something else? (Running nscd doesn't seem to help matters.) Also, this seems strange as a solution as this network doesn't run NIS. I do have all the amanda-related ports open on both server and client. I had no problems running amanda under FC4. My server is FC4 and it backs itself and an RH7.3 machine up with no problems. Only my FC5 clients have issues. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From sds at tycho.nsa.gov Mon Apr 10 14:27:59 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 10 Apr 2006 10:27:59 -0400 Subject: Amanda client AVC In-Reply-To: References: <1144325949.6176.40.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144679279.8101.62.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-10 at 10:17 -0400, Matthew Saltzman wrote: > On Thu, 6 Apr 2006, Stephen Smalley wrote: > > > On Wed, 2006-04-05 at 18:42 -0400, Matthew Saltzman wrote: > >> My amanda clients are seeing the following: > >> > >> kernel: audit(1144217150.855:17): avc: denied { name_bind } for > >> pid=3707 comm="sendbackup" src=697 > >> scontext=system_u:system_r:amanda_t:s0 > >> tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket > >> > >> And they don't work. > >> > >> How to fix, please? TIA. > > > > port 697 is listed as uuidgen in /etc/services, so specifically mapping > > it to an amanda port type and allowing amanda to bind to it seems wrong. > > If this is just a result of probing for any available low port for NIS, > > then the allow_ypbind boolean is likely relevant; try enabling it. > > That stops the denial messages, but Amanda still isn't working. It fails > with "too many dumper retry". I'm not getting denials, though, so I > suppose that must be something else? > > (Running nscd doesn't seem to help matters.) Try installing the enableaudit.pp policy module, i.e. semodule -b /usr/share/selinux/targeted/enableaudit.pp and retrying, then recheck your audit messages for anything relevant (but note that there may be a lot of irrelevant audit messages enabled by it). That is the equivalent in FC5 to the old 'make enableaudit load' on policy sources in FC4 and FC3. Then you revert to the normal policy via semodule -b /usr/share/selinux/targeted/base.pp > Also, this seems strange as a solution as this network doesn't run NIS. I > do have all the amanda-related ports open on both server and client. I > had no problems running amanda under FC4. My server is FC4 and it backs > itself and an RH7.3 machine up with no problems. Only my FC5 clients have > issues. I agree that allow_ypbind needs to be renamed/generalized. -- Stephen Smalley National Security Agency From jcliburn at gmail.com Mon Apr 10 18:25:59 2006 From: jcliburn at gmail.com (J. K. Cliburn) Date: Mon, 10 Apr 2006 13:25:59 -0500 Subject: postmap command avc: denied messages Message-ID: <3400f2f60604101125x28e84ee3l753797dc01403b19@mail.gmail.com> First, should I file a bugzilla for this? Second, is there a workaround? Oddly, it didn't seem to impede the completion of the postmap command. Apr 10 12:17:10 osprey kernel: audit(1144689430.970:8): avc: denied { read wri te } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:syst em_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=chr _file Apr 10 12:17:10 osprey kernel: audit(1144689430.970:9): avc: denied { read wri te } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:syst em_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=chr _file Apr 10 12:17:10 osprey kernel: audit(1144689430.970:10): avc: denied { read wr ite } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:sys tem_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=ch r_file Apr 10 12:17:10 osprey kernel: audit(1144689430.970:11): avc: denied { read wr ite } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:sys tem_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=ch r_file Apr 10 12:17:10 osprey kernel: audit(1144689430.982:12): avc: denied { read } for pid=4617 comm="postmap" name="stat" dev=proc ino=4026531853 scontext=user_u :system_r:postfix_map_t:s0-s0:c0.c255 tcontext=system_u:object_r:proc_t:s0 tclas s=file Apr 10 12:17:10 osprey kernel: audit(1144689430.982:13): avc: denied { read } for pid=4617 comm="postmap" name="cpuinfo" dev=proc ino=4026531851 scontext=use r_u:system_r:postfix_map_t:s0-s0:c0.c255 tcontext=system_u:object_r:proc_t:s0 tc lass=file Thanks, Jay From mroselinux at eastgranby.k12.ct.us Mon Apr 10 23:20:48 2006 From: mroselinux at eastgranby.k12.ct.us (mroselinux at eastgranby.k12.ct.us) Date: Mon, 10 Apr 2006 19:20:48 -0400 (EDT) Subject: samba net command does not execute In-Reply-To: <4437CA4A.8080001@redhat.com> References: <1798.24.2.210.202.1144457026.squirrel@mail.eastgranby.k12.ct.us> <4437CA4A.8080001@redhat.com> Message-ID: <50396.24.2.210.202.1144711248.squirrel@mail.eastgranby.k12.ct.us> The samba net command does not execute unless I change selinux to permissive. Apr 10 19:12:02 localhost kernel: audit(1144710722.223:158): avc: denied { write } for pid=3615 comm="net" name="group_mapping.tdb" dev=dm-0 ino=3310700 scontext=root:system_r:samba_net_t:s0-s0:c0.c255 tcontext=root:object_r:samba_var_t:s0 tclass=file Apr 10 19:12:02 localhost net: [2006/04/10 19:12:02.227587, 0] groupdb/mapping.c:init_group_mapping(134) Apr 10 19:12:02 localhost net: Failed to open group mapping database Apr 10 19:12:02 localhost net: [2006/04/10 19:12:02.228030, 0] groupdb/mapping.c:enum_group_mapping(415) Apr 10 19:12:02 localhost net: failed to initialize group mapping Is there a simple fix while leaving selinux enabled? Mark Orenstein East Granby School System From sds at tycho.nsa.gov Tue Apr 11 12:05:45 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 11 Apr 2006 08:05:45 -0400 Subject: [FC5] Samba and SELinux In-Reply-To: <1144688483.3011.149.camel@copper.cdkkt.com> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> <1144306138.4028.10.camel@laurel.intra.city-fan.org> <1144344978.2967.201.camel@copper.cdkkt.com> <1144346654.6176.69.camel@moss-spartans.epoch.ncsc.mil> <1144529846.3011.73.camel@copper.cdkkt.com> <1144679472.8101.67.camel@moss-spartans.epoch.ncsc.mil> <1144688483.3011.149.camel@copper.cdkkt.com> Message-ID: <1144757145.18294.11.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-10 at 10:01 -0700, Dan Thurman wrote: > I su as root initially and in my /root directory > and created the "foo" there. You did not state > where to create "foo" so if I did this in the > wrong place, please let me know. Re-added the list to the cc line above. It doesn't matter where you create it - it is just a temporary working directory. > I downloaded the > checkmodule and installed it earlier so it appears > that this time everything works, except that in the > tmp file created, I did not get the same files as > you may have. Here is the log of actions: > > [dant at copper ~]$ su - > Password: > [root at copper ~]# mkdir foo > [root at copper ~]# cd foo > [root at copper foo]# vi local.te > [root at copper foo]# touch local.if local.fc > [root at copper foo]# make -f /usr/share/selinux/devel/Makefile > Compliling targeted local module > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > /usr/bin/checkmodule: policy configuration loaded > /usr/bin/checkmodule: writing binary representation (version 5) to > tmp/local.mod > Creating targeted local.pp policy package > rm tmp/local.mod.fc tmp/local.mod > [root at copper foo]# ls > local.fc local.if local.pp local.te tmp > [root at copper foo]# ls tmp > all_interfaces.conf local.mod.role local.tmp > [root at copper foo]# Looks correct to me, and matches what was in my original message. So now you finish the sequence of instructions I provided originally, i.e. # semodule -i local.pp Then retry accessing /var/www content from samba, and if it still doesn't work, check your /var/log/messages file for avc: denied messages. -- Stephen Smalley National Security Agency From mroselinux at eastgranby.k12.ct.us Tue Apr 11 15:13:48 2006 From: mroselinux at eastgranby.k12.ct.us (mroselinux at eastgranby.k12.ct.us) Date: Tue, 11 Apr 2006 11:13:48 -0400 (EDT) Subject: samba net command does not execute In-Reply-To: <50396.24.2.210.202.1144711248.squirrel@mail.eastgranby.k12.ct.us> References: <1798.24.2.210.202.1144457026.squirrel@mail.eastgranby.k12.ct.us> <4437CA4A.8080001@redhat.com> <50396.24.2.210.202.1144711248.squirrel@mail.eastgranby.k12.ct.us> Message-ID: <2508.192.168.0.21.1144768428.squirrel@mail.eastgranby.k12.ct.us> > The samba net command does not execute unless I change selinux to > permissive. > > Apr 10 19:12:02 localhost kernel: audit(1144710722.223:158): avc: denied > { write } for pid=3615 comm="net" name="group_mapping.tdb" dev=dm-0 > ino=3310700 scontext=root:system_r:samba_net_t:s0-s0:c0.c255 > tcontext=root:object_r:samba_var_t:s0 tclass=file > Apr 10 19:12:02 localhost net: [2006/04/10 19:12:02.227587, 0] > groupdb/mapping.c:init_group_mapping(134) > Apr 10 19:12:02 localhost net: Failed to open group mapping database > Apr 10 19:12:02 localhost net: [2006/04/10 19:12:02.228030, 0] > groupdb/mapping.c:enum_group_mapping(415) > Apr 10 19:12:02 localhost net: failed to initialize group mapping > > Is there a simple fix while leaving selinux enabled? > > Mark Orenstein > East Granby School System > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Just to be more specific, it is the "net groupmap" command that will not execute properly with selinux enabled. From paul at city-fan.org Tue Apr 11 15:32:11 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 11 Apr 2006 16:32:11 +0100 Subject: procmail Message-ID: <443BCBFB.2050104@city-fan.org> I use procmail as my local delivery agent from sendmail. In FC5 this appears to be running as procmail_t. Procmail offers the ability to pipe mail through programs (filters), and I use this facility from time to time. I'm getting quite a lot of denials when doing this and wonder what the right approach to fixing them is. Case 1: a locally-written shell script called "spamdomain" This is in my ~/bin directory and of type user_home_t Procmail recipe: SPAMDOMAIN=`spamdomain` Result: Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc: denied { execute } for pid=16622 comm="procmail" name="spamdomain" dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc: denied { execute_no_trans } for pid=16622 comm="procmail" name="spamdomain" dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file Case 2: piping mail through "sa-learn" I run spamass-milter to reject mail in-protocol and then my own local filter using procmail on anything that gets through. If I'm sure something's spam, I like spamassassin to learn about it so I might reject it earlier in future. So I pipe it through sa-learn (spamd_exec_t): Procmail recipe: :0c | sa-learn --username=paul at city-fan.org --spam >/dev/null 2>&1 Result: Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.743:8008): avc: denied { getattr } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8009): avc: denied { execute } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8010): avc: denied { read } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8011): avc: denied { execute_no_trans } for pid=16719 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.799:8012): avc: denied { ioctl } for pid=16719 comm="sa-learn" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file The "bash" denials will be due to procmail forking a shell to handle the redirects. What *should* I be doing here to fix this? I know I could just add local policy to fix the denials, but is there a way to do it that's supported by existing policy? Paul. From dant at cdkkt.com Tue Apr 11 16:06:21 2006 From: dant at cdkkt.com (Dan Thurman) Date: Tue, 11 Apr 2006 09:06:21 -0700 Subject: [FC5] Samba and SELinux In-Reply-To: <1144757145.18294.11.camel@moss-spartans.epoch.ncsc.mil> References: <1144259968.2967.63.camel@copper.cdkkt.com> <1144267162.3557.2.camel@chaucer> <1144268801.2967.107.camel@copper.cdkkt.com> <1144306138.4028.10.camel@laurel.intra.city-fan.org> <1144344978.2967.201.camel@copper.cdkkt.com> <1144346654.6176.69.camel@moss-spartans.epoch.ncsc.mil> <1144529846.3011.73.camel@copper.cdkkt.com> <1144679472.8101.67.camel@moss-spartans.epoch.ncsc.mil> <1144688483.3011.149.camel@copper.cdkkt.com> <1144757145.18294.11.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144771582.3011.226.camel@copper.cdkkt.com> On Tue, 2006-04-11 at 08:05 -0400, Stephen Smalley wrote: > On Mon, 2006-04-10 at 10:01 -0700, Dan Thurman wrote: > > I su as root initially and in my /root directory > > and created the "foo" there. You did not state > > where to create "foo" so if I did this in the > > wrong place, please let me know. > > Re-added the list to the cc line above. > > It doesn't matter where you create it - it is just a temporary working > directory. > > > I downloaded the > > checkmodule and installed it earlier so it appears > > that this time everything works, except that in the > > tmp file created, I did not get the same files as > > you may have. Here is the log of actions: > > > > [dant at copper ~]$ su - > > Password: > > [root at copper ~]# mkdir foo > > [root at copper ~]# cd foo > > [root at copper foo]# vi local.te > > [root at copper foo]# touch local.if local.fc > > [root at copper foo]# make -f /usr/share/selinux/devel/Makefile > > Compliling targeted local module > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > /usr/bin/checkmodule: policy configuration loaded > > /usr/bin/checkmodule: writing binary representation (version 5) to > > tmp/local.mod > > Creating targeted local.pp policy package > > rm tmp/local.mod.fc tmp/local.mod > > [root at copper foo]# ls > > local.fc local.if local.pp local.te tmp > > [root at copper foo]# ls tmp > > all_interfaces.conf local.mod.role local.tmp > > [root at copper foo]# > > Looks correct to me, and matches what was in my original message. So > now you finish the sequence of instructions I provided originally, i.e. > # semodule -i local.pp > > Then retry accessing /var/www content from samba, and if it still > doesn't work, check your /var/log/messages file for avc: denied > messages. > Ok, I thought the file local.pp was to exist somewhere which I did not find anywhere. That was my confusion. OK I issued: semodule -i local.pp and it completed. I went to a windows system and I am now able to view /var/www contents. I am also able to create and delete files and directories. All is now working well!. If there is anything else, please let me know. Kind regards, Dan From Valdis.Kletnieks at vt.edu Tue Apr 11 19:18:52 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Tue, 11 Apr 2006 15:18:52 -0400 Subject: policy 2.2.29-6 complains about system_chkpwd_t Message-ID: <200604111918.k3BJIr6g018021@turing-police.cc.vt.edu> Using 'strict' policy (yes, I know development is probably elsewhere at the moment), installing selinux-policy-2.2.29-6, I get: # rpm -Fvh selin* Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-strict ########################################### [100%] libsepol.scope_copy_callback: authlogin: Duplicate declaration in module: type/attribute system_chkpwd_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! Using a can opener on the .src.rpm and poking around, I find 3 hits in ./serefpolicy-2.2.29/policy/modules/system/authlogin.if - but all 3 seem to be wrapped in a gen_require(). Any hints/suggestions? Hopefully enough info so somebody says "D'oh! fixed in tomorrow's Rawhide", but I'm certainly willing to help debug this one. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From dwalsh at redhat.com Tue Apr 11 21:38:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 11 Apr 2006 17:38:19 -0400 Subject: SELinux blocking something related to camera In-Reply-To: <1144581301.9865.106.camel@laurel.intra.city-fan.org> References: <4438D8A9.9030107@devia.org> <1144581301.9865.106.camel@laurel.intra.city-fan.org> Message-ID: <443C21CB.90906@redhat.com> Paul Howarth wrote: > On Sun, 2006-04-09 at 11:49 +0200, Tor Arne Thune wrote: > >> Hi. >> I am having some trouble accessing my Canon EOS 10D camera through >> digikam as non-root. SELinux seems to be blocking something. When I turn >> the camera on I get these messages in /var/log/messages: >> Apr 9 10:34:43 ranger kernel: usb 2-1: new full speed USB device using >> uhci_hcd and address 2 >> Apr 9 10:34:44 ranger kernel: usb 2-1: configuration #1 chosen from 1 >> choice >> Apr 9 10:34:44 ranger kernel: audit(1144571684.462:10): avc: denied { >> search } for pid=21743 comm="cat" name="console" dev=dm-0 ino=1474652 >> scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:pam_var_console_t:s0 tclass=dir >> Apr 9 10:37:03 ranger kernel: usb 2-1: USB disconnect, address 2 >> >> What should I disable in the SELinux policy to make this work? Any >> thoughts are greatly appreciated. >> > > FWIW, you're not the only digikam user to experience this: > http://www.redhat.com/archives/fedora-list/2006-April/msg01718.html > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Should be fixed by latest policy update. From dwalsh at redhat.com Tue Apr 11 21:43:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 11 Apr 2006 17:43:19 -0400 Subject: SELinux support in awstats RPM In-Reply-To: References: Message-ID: <443C22F7.1050102@redhat.com> Aurelien Bompard wrote: > Hi you SELinux gurus :) > > I'm trying to add SELinux support to my rpm of awstats in Extras. > Awstats is a perl CGI script which analyses the webserver's logs (and other > logs). It stores its (text-based) databases in /var/lib/awstats, and the > cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an > alias in an httpd conf file to make it visible from /awstats/ from the web. > > For the FC5 package, I've added two semanage calls in %pre to set the > correct types on the cgi and the databases dir. > Before committing and requesting a build, I'd like to make sure with you > that I'm not doing something dangerous, since I'm rather new to SELinux. > Here's the diff : > --- awstats.spec 23 Feb 2006 10:17:11 -0000 1.10 > +++ awstats.spec 9 Apr 2006 13:50:38 -0000 > @@ -13,6 +13,7 @@ > Requires: perl > Requires(post): perl > Requires(postun): /sbin/service > +Requires(pre): policycoreutils > > %description > Advanced Web Statistics is a powerful and featureful tool that generates > @@ -112,6 +113,14 @@ > %clean > rm -rf $RPM_BUILD_ROOT > > + > +%pre > +# Set SELinux types > +semanage fcontext -a -t httpd_sys_script_exec_t \ > + '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || : > +semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?' > 2>/dev/null || : > + > + > %post > if [ $1 -eq 1 ]; then > if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then > > > Does it look correct to you ? If I run semanage in %pre, I should not need > to run restorecon on /var/lib/awstats and > on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ? > > Is there a better/cleaner way to do it ? > This is a rather common case IMHO, so if we all agree I think it would be > worth having as an example on the Fedora wiki. > > Thanks. > > Aur?lien > In your %post chcon --R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin chcon -R -t httpd_sys_script_rw_t /var/lib/awstats Should be enough. These should not get relabeled in a restorecon since they are customizable types. From dwalsh at redhat.com Tue Apr 11 21:47:13 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 11 Apr 2006 17:47:13 -0400 Subject: apache serving nfs-hosted files on FC5 In-Reply-To: <7BC7DEFF-0596-4EA6-B98B-0D13F382DC9A@silentmedia.com> References: <7BC7DEFF-0596-4EA6-B98B-0D13F382DC9A@silentmedia.com> Message-ID: <443C23E1.9040209@redhat.com> Ben wrote: > Is there a simple boolean that lets me do this? My avc errors look like: > > Apr 9 11:21:50 charlotte kernel: audit(1144606910.006:153): avc: > denied { search } for pid=17677 comm="httpd" name="/" dev=0:12 > ino=292243 scontext=root:system_r:httpd_t:s0 > tcontext=system_u:object_r:nfs_t:s0 tclass=dir > Apr 9 11:21:50 charlotte kernel: audit(1144606910.006:154): avc: > denied { getattr } for pid=17677 comm="httpd" name="/" dev=0:12 > ino=292243 scontext=root:system_r:httpd_t:s0 > tcontext=system_u:object_r:nfs_t:s0 tclass=dir > Right now this is not something we have come across, but if you set the following booleans it will be allowed setsebool -P httpd_enable_homedirs=1 use_nfs_home_dirs=1 Not ideal but it works. Probably should bugzilla this to have a boolean httpd_use_nfs or something. > > On a related note, is there a way to see what the various booleans are > supposed to be good for? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Tue Apr 11 21:51:05 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 11 Apr 2006 17:51:05 -0400 Subject: postmap command avc: denied messages In-Reply-To: <3400f2f60604101125x28e84ee3l753797dc01403b19@mail.gmail.com> References: <3400f2f60604101125x28e84ee3l753797dc01403b19@mail.gmail.com> Message-ID: <443C24C9.7060200@redhat.com> J. K. Cliburn wrote: > First, should I file a bugzilla for this? > > Second, is there a workaround? Oddly, it didn't seem to impede the > completion of the postmap command. > Are you running in permissive mode? These messages probably would not appear in enforcing mode and there fore can be ignored. > Apr 10 12:17:10 osprey kernel: audit(1144689430.970:8): avc: denied { read wri > te } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:syst > em_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=chr > _file > Apr 10 12:17:10 osprey kernel: audit(1144689430.970:9): avc: denied { read wri > te } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:syst > em_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=chr > _file > Apr 10 12:17:10 osprey kernel: audit(1144689430.970:10): avc: denied { read wr > ite } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:sys > tem_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=ch > r_file > Apr 10 12:17:10 osprey kernel: audit(1144689430.970:11): avc: denied { read wr > ite } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:sys > tem_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=ch > r_file > Apr 10 12:17:10 osprey kernel: audit(1144689430.982:12): avc: denied { read } > for pid=4617 comm="postmap" name="stat" dev=proc ino=4026531853 scontext=user_u > :system_r:postfix_map_t:s0-s0:c0.c255 tcontext=system_u:object_r:proc_t:s0 tclas > s=file > Apr 10 12:17:10 osprey kernel: audit(1144689430.982:13): avc: denied { read } > for pid=4617 comm="postmap" name="cpuinfo" dev=proc ino=4026531851 scontext=use > r_u:system_r:postfix_map_t:s0-s0:c0.c255 tcontext=system_u:object_r:proc_t:s0 tc > lass=file > > Thanks, > Jay > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From jcliburn at gmail.com Wed Apr 12 01:06:17 2006 From: jcliburn at gmail.com (J. K. Cliburn) Date: Tue, 11 Apr 2006 20:06:17 -0500 Subject: SELinux enforcing disallows opening floppy drive in Nautilus Message-ID: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> When I try to open a floppy drive in Nautilus, nothing happens except the following message is logged in /var/log/messages. Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied { write } for pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966 scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 tclass=file What do I need to do to enable opening the floppy drive? Thanks, Jay From gauret at free.fr Wed Apr 12 07:16:24 2006 From: gauret at free.fr (Aurelien Bompard) Date: Wed, 12 Apr 2006 09:16:24 +0200 Subject: SELinux support in awstats RPM References: <443C22F7.1050102@redhat.com> Message-ID: Daniel J Walsh wrote: > In your > > %post > chcon --R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin > chcon -R -t httpd_sys_script_rw_t /var/lib/awstats > > Should be enough. These should not get relabeled in a restorecon since > they are customizable types. You mean the call to semanage is not even necessary ? If I remove its action (with semanage fcontext -d), run chcon on the cgis and run restorecon on them, they are labelled back to usr_t. What do you mean by "customizable types" ? Thanks Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "As we enjoy great advantages from inventions of others, we should be glad of an opportunity to serve others by any invention of ours ; and this we should do freely and generously." -- Benjamin Franklin From paul at city-fan.org Wed Apr 12 07:20:45 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 12 Apr 2006 08:20:45 +0100 Subject: SELinux support in awstats RPM In-Reply-To: <443C22F7.1050102@redhat.com> References: <443C22F7.1050102@redhat.com> Message-ID: <1144826446.15058.14.camel@laurel.intra.city-fan.org> On Tue, 2006-04-11 at 17:43 -0400, Daniel J Walsh wrote: > Aurelien Bompard wrote: > > Hi you SELinux gurus :) > > > > I'm trying to add SELinux support to my rpm of awstats in Extras. > > Awstats is a perl CGI script which analyses the webserver's logs (and other > > logs). It stores its (text-based) databases in /var/lib/awstats, and the > > cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an > > alias in an httpd conf file to make it visible from /awstats/ from the web. > > > > For the FC5 package, I've added two semanage calls in %pre to set the > > correct types on the cgi and the databases dir. > > Before committing and requesting a build, I'd like to make sure with you > > that I'm not doing something dangerous, since I'm rather new to SELinux. > > Here's the diff : > > --- awstats.spec 23 Feb 2006 10:17:11 -0000 1.10 > > +++ awstats.spec 9 Apr 2006 13:50:38 -0000 > > @@ -13,6 +13,7 @@ > > Requires: perl > > Requires(post): perl > > Requires(postun): /sbin/service > > +Requires(pre): policycoreutils > > > > %description > > Advanced Web Statistics is a powerful and featureful tool that generates > > @@ -112,6 +113,14 @@ > > %clean > > rm -rf $RPM_BUILD_ROOT > > > > + > > +%pre > > +# Set SELinux types > > +semanage fcontext -a -t httpd_sys_script_exec_t \ > > + '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || : > > +semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?' > > 2>/dev/null || : > > + > > + > > %post > > if [ $1 -eq 1 ]; then > > if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then > > > > > > Does it look correct to you ? If I run semanage in %pre, I should not need > > to run restorecon on /var/lib/awstats and > > on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ? > > > > Is there a better/cleaner way to do it ? > > This is a rather common case IMHO, so if we all agree I think it would be > > worth having as an example on the Fedora wiki. > > > > Thanks. > > > > Aur?lien > > > > In your > > %post > chcon --R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin > chcon -R -t httpd_sys_script_rw_t /var/lib/awstats > > Should be enough. These should not get relabeled in a restorecon since > they are customizable types. Supposing that the package needed non-customizable types, as will probably be the case for other packages that come along before long. Would the right thing to do be the semanage to protect against relabelling plus the chcon in %post to get the right context straight after package installation? Any thoughts on why semanage in %pre doesn't work? Paul. From paul at city-fan.org Wed Apr 12 07:48:48 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 12 Apr 2006 08:48:48 +0100 Subject: Typo in samba_selinux man page Message-ID: <1144828128.15058.25.camel@laurel.intra.city-fan.org> setsebool -P allow_smbd_anon_write 1 is written as setsebool -P allow_smb_anon_write=1 Paul. From rmy at tigress.co.uk Wed Apr 12 08:39:02 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Wed, 12 Apr 2006 09:39:02 +0100 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> Message-ID: <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> "J. K. Cliburn" wrote: >When I try to open a floppy drive in Nautilus, nothing happens except >the following message is logged in /var/log/messages. > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied >{ write } for pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966 >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 >tclass=file > >What do I need to do to enable opening the floppy drive? I don't have an FC5 system to hand at the moment, so take this with a pinch of salt. I had similar problems with /etc/mtab, except it was umount that couldn't write to it when the system was shutting down. The issue seems to be with the type of /etc/mtab. Try: chcon -t etc_runtime_t /etc/mtab I was going to report this but it seemed to sort itself out on my system for no reason that I could discern. Ron From russell at coker.com.au Wed Apr 12 05:28:13 2006 From: russell at coker.com.au (Russell Coker) Date: Wed, 12 Apr 2006 15:28:13 +1000 Subject: [FC5] Wrong default context for hping2 In-Reply-To: <44353D3D.7080609@ruault.com> References: <44353D3D.7080609@ruault.com> Message-ID: <200604121528.17437.russell@coker.com.au> On Friday 07 April 2006 02:09, Charles-Edouard Ruault wrote: > But the ping_exec_t domain does not allow the creation of packet socket. > Here's the audit log : > type=AVC msg=audit(1144338231.596:1933): avc: denied { create } for > pid=17334 comm="hping2" scontext=user_u:system_r:ping_t:s0-s0:c0.c255 > tcontext=user_u:system_r:ping_t:s0-s0:c0.c255 tclass=packet_socket Allowing the packet_socket access seems appropriate as it's just different ways of doing the same thing. In my next update to the rawhide policy I'll include this. Not sure if it's worth doing for FC5 as hping isn't in Core. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From selinux at gmail.com Wed Apr 12 14:08:04 2006 From: selinux at gmail.com (Tom London) Date: Wed, 12 Apr 2006 07:08:04 -0700 Subject: error in today's rawhide update.... Message-ID: <4c4ba1530604120708h7ab35fc0q89dc06f499ef056c@mail.gmail.com> Doing today's update I get: Updating : selinux-policy-targeted ####################### [13/32] libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/homedir_template to /etc/selinux/targeted/contexts/files/homedir_template. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/homedir_template to /etc/selinux/targeted/contexts/files/homedir_template. semodule: Failed! Here are the AVCs: type=AVC msg=audit(1144850575.266:27): avc: denied { write } for pid=3407 comm="semodule" name="files" dev=dm-0 ino=6667714 scontext=user_u:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_context_t:s0 tclass=dir type=SYSCALL msg=audit(1144850575.266:27): arch=40000003 syscall=5 success=no exit=-13 a0=bff7d678 a1=241 a2=1a4 a3=1a4 items=1 pid=3407 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="semodule" exe="/usr/sbin/semodule" subj=user_u:system_r:semanage_t:s0-s0:c0.c255 type=CWD msg=audit(1144850575.266:27): cwd="/usr/share/selinux/targeted" type=PATH msg=audit(1144850575.266:27): item=0 name="/etc/selinux/targeted/contexts/files/homedir_template.tmp" parent=6667714 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:file_context_t:s0 type=AVC msg=audit(1144850575.306:28): avc: denied { write } for pid=3407 comm="semodule" name="files" dev=dm-0 ino=6667714 scontext=user_u:system_r:semanage_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_context_t:s0 tclass=dir type=SYSCALL msg=audit(1144850575.306:28): arch=40000003 syscall=5 success=no exit=-13 a0=bff7d678 a1=241 a2=1a4 a3=1a4 items=1 pid=3407 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="semodule" exe="/usr/sbin/semodule" subj=user_u:system_r:semanage_t:s0-s0:c0.c255 type=CWD msg=audit(1144850575.306:28): cwd="/usr/share/selinux/targeted" type=PATH msg=audit(1144850575.306:28): item=0 name="/etc/selinux/targeted/contexts/files/homedir_template.tmp" parent=6667714 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:file_context_t:s0 tom -- Tom London From selinux at gmail.com Wed Apr 12 14:17:53 2006 From: selinux at gmail.com (Tom London) Date: Wed, 12 Apr 2006 07:17:53 -0700 Subject: error in today's rawhide update.... In-Reply-To: <4c4ba1530604120708h7ab35fc0q89dc06f499ef056c@mail.gmail.com> References: <4c4ba1530604120708h7ab35fc0q89dc06f499ef056c@mail.gmail.com> Message-ID: <4c4ba1530604120717r3b4b63cesb8b78642f2f982a0@mail.gmail.com> I did 'setenforce 0', and 'rpm -Uvh selinux-policy-targeted*', and this seems to be proceeding without errors. I'm getting lots of files relabeled (>400), mostly texrel_shlib_t to lib_t, for things like /usr/lib/firefox, /usr/lib/mozilla, /usr/lib/wine. This expected? tom From jcliburn at gmail.com Wed Apr 12 14:12:05 2006 From: jcliburn at gmail.com (J. K. Cliburn) Date: Wed, 12 Apr 2006 09:12:05 -0500 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> Message-ID: <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> On 4/12/06, Ron Yorston wrote: > "J. K. Cliburn" wrote: > >When I try to open a floppy drive in Nautilus, nothing happens except > >the following message is logged in /var/log/messages. > > > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied > >{ write } for pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966 > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 > >tclass=file > > > >What do I need to do to enable opening the floppy drive? > > chcon -t etc_runtime_t /etc/mtab Thanks for your reply, Ron. If "ls -Z" already shows etc_runtime_t on /etc/mtab, will the chcon you suggest change anything? (Just trying to learn.) Best, Jay From sds at tycho.nsa.gov Wed Apr 12 14:32:39 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 12 Apr 2006 10:32:39 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> Message-ID: <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-12 at 09:12 -0500, J. K. Cliburn wrote: > On 4/12/06, Ron Yorston wrote: > > "J. K. Cliburn" wrote: > > >When I try to open a floppy drive in Nautilus, nothing happens except > > >the following message is logged in /var/log/messages. > > > > > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied > > >{ write } for pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966 > > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 > > >tclass=file > > > > > >What do I need to do to enable opening the floppy drive? > > > > > chcon -t etc_runtime_t /etc/mtab > > Thanks for your reply, Ron. If "ls -Z" already shows etc_runtime_t on > /etc/mtab, will the chcon you suggest change anything? (Just trying > to learn.) No, it won't relabel if it already has the right type. But from your avc message, at some earlier point, it had the wrong type (etc_t). The implication is that some process re-created /etc/mtab at some point without having a proper type transition, so it was left in etc_t, and later it was again re-created but this time by a process with a type transition defined, so that it was put back into etc_runtime_t. Dan has introduced a daemon (restorecond) as an attempt to provide a way to automatically detect and reset contexts on files like this, where it is difficult to ensure that the file retains the right type under targeted policy because not all programs run confined. -- Stephen Smalley National Security Agency From selinux at gmail.com Wed Apr 12 14:51:35 2006 From: selinux at gmail.com (Tom London) Date: Wed, 12 Apr 2006 07:51:35 -0700 Subject: error in today's rawhide update.... In-Reply-To: <4c4ba1530604120717r3b4b63cesb8b78642f2f982a0@mail.gmail.com> References: <4c4ba1530604120708h7ab35fc0q89dc06f499ef056c@mail.gmail.com> <4c4ba1530604120717r3b4b63cesb8b78642f2f982a0@mail.gmail.com> Message-ID: <4c4ba1530604120751y448b599fqba6462087172248b@mail.gmail.com> On 4/12/06, Tom London wrote: > I did 'setenforce 0', and 'rpm -Uvh selinux-policy-targeted*', and > this seems to be proceeding without errors. > > I'm getting lots of files relabeled (>400), mostly texrel_shlib_t to > lib_t, for things like /usr/lib/firefox, /usr/lib/mozilla, > /usr/lib/wine. > > This expected? Hmmm...Suspect relabeling has broken some stuff. Get this when I try to start firefox: type=AVC msg=audit(1144853278.073:58): avc: denied { execmod } for pid=4819 comm="firefox-bin" name="libxpcom_core.so" dev=dm-0 ino=6114892 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1144853278.073:58): arch=40000003 syscall=125 success=yes exit=0 a0=327000 a1=cc000 a2=5 a3=bfc5e610 items=0 pid=4819 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-1.5.0.1/firefox-bin" subj=user_u:system_r:unconfined_t:s0 type=AVC_PATH msg=audit(1144853278.073:58): path="/usr/lib/firefox-1.5.0.1/libxpcom_core.so" I'll reboot in permissive mode and try to capture all the AVCs.... tom -- Tom London From selinux at gmail.com Wed Apr 12 16:00:18 2006 From: selinux at gmail.com (Tom London) Date: Wed, 12 Apr 2006 09:00:18 -0700 Subject: AVCs from selinux-targeted Message-ID: <4c4ba1530604120900x63c64775o323532292cf25cef@mail.gmail.com> Below is a dump of the AVC after applying today's selinux-policy-targeted and rebooting in permissive mode. tom [gdm greeter fails, but not sure yet if it is related.... The first AVC is from vmware...] [root at localhost ~]# ausearch -i -if log ---- type=DAEMON_START msg=audit(04/12/2006 08:49:21.597:3214) auditd start, ver=1.2, format=raw, auid=unknown(4294967295) res=success, auditd pid=1987 ---- type=CONFIG_CHANGE msg=audit(04/12/2006 08:49:21.597:4) : audit_enabled=1 old=0 by auid=unknown(4294967295) ---- type=CONFIG_CHANGE msg=audit(04/12/2006 08:49:21.645:5) : audit_backlog_limit=256 old=64 by auid=unknown(4294967295) ---- type=SOCKETCALL msg=audit(04/12/2006 08:49:30.234:6) : nargs=3 a0=4 a1=bfbacca0 a2=10 type=SOCKADDR msg=audit(04/12/2006 08:49:30.234:6) : saddr=inet host:0.0.0.0 serv:0 type=SYSCALL msg=audit(04/12/2006 08:49:30.234:6) : arch=i386 syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bfbacc70 a2=82a0158 a3=7 items=0 pid=2143 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=vmnet-natd exe=/usr/bin/vmnet-natd subj=system_u:system_r:initrc_t:s0 type=AVC msg=audit(04/12/2006 08:49:30.234:6) : avc: denied { node_bind } for pid=2143 comm=vmnet-natd scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket ---- type=USER_ERR msg=audit(04/12/2006 08:50:06.277:7) : user pid=2639 uid=root auid=unknown(4294967295) msg='PAM: bad_ident acct=? : exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=console res=failed)' ---- type=AVC_PATH msg=audit(04/12/2006 08:50:14.705:8) : path=/usr/lib/dri/i915_dri.so type=SYSCALL msg=audit(04/12/2006 08:50:14.705:8) : arch=i386 syscall=mprotect success=yes exit=0 a0=e48000 a1=2af000 a2=5 a3=bfbcb770 items=0 pid=2672 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty7 comm=Xorg exe=/usr/bin/Xorg subj=system_u:system_r:xdm_t:s0-s0:c0.c255 type=AVC msg=audit(04/12/2006 08:50:14.705:8) : avc: denied { execmod } for pid=2672 comm=Xorg name=i915_dri.so dev=dm-0 ino=5880987 scontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0 tclass=file ---- type=USER_AUTH msg=audit(04/12/2006 08:50:57.884:9) : user pid=2669 uid=root auid=unknown(4294967295) msg='PAM: authentication acct=tbl : exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0 res=success)' ---- type=USER_ACCT msg=audit(04/12/2006 08:50:57.884:10) : user pid=2669 uid=root auid=unknown(4294967295) msg='PAM: accounting acct=tbl : exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0 res=success)' ---- type=CRED_ACQ msg=audit(04/12/2006 08:50:57.888:11) : user pid=2669 uid=root auid=unknown(4294967295) msg='PAM: setcred acct=tbl : exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0 res=success)' ---- type=LOGIN msg=audit(04/12/2006 08:50:57.888:12) : login pid=2669 uid=root old auid=unknown(4294967295) new auid=tbl ---- type=USER_START msg=audit(04/12/2006 08:50:58.072:13) : user pid=2669 uid=root auid=tbl msg='PAM: session open acct=tbl : exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0 res=success)' ---- type=USER_LOGIN msg=audit(04/12/2006 08:50:58.076:14) : user pid=2669 uid=root auid=tbl msg='uid=tbl exe=/usr/sbin/gdm-binary (hostname=localhost.localdomain, addr=127.0.0.1, terminal=:0 res=success)' ---- type=PATH msg=audit(04/12/2006 08:51:04.840:15) : item=0 name=/proc/sys/vm/ inode=4026531931 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 type=CWD msg=audit(04/12/2006 08:51:04.840:15) : cwd=/usr/share/hal/scripts type=SYSCALL msg=audit(04/12/2006 08:51:04.840:15) : arch=i386 syscall=access success=yes exit=0 a0=9b243b8 a1=2 a2=2 a3=9b23528 items=1 pid=2841 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=pm-powersave exe=/bin/bash subj=system_u:system_r:hald_t:s0 type=AVC msg=audit(04/12/2006 08:51:04.840:15) : avc: denied { write } for pid=2841 comm=pm-powersave name=vm dev=proc ino=-268435365 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir ---- type=PATH msg=audit(04/12/2006 08:51:06.697:16) : item=1 name=(null) inode=1045685 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(04/12/2006 08:51:06.697:16) : item=0 name=/usr/bin/bluez-pin inode=5799749 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bluetooth_helper_exec_t:s0 type=CWD msg=audit(04/12/2006 08:51:06.697:16) : cwd=/home/tbl type=AVC_PATH msg=audit(04/12/2006 08:51:06.697:16) : path=pipe:[9329] type=AVC_PATH msg=audit(04/12/2006 08:51:06.697:16) : path=pipe:[9329] type=SYSCALL msg=audit(04/12/2006 08:51:06.697:16) : arch=i386 syscall=execve success=yes exit=0 a0=9b760b3 a1=bffcc5e0 a2=9b31078 a3=bffcdddf items=2 pid=2854 auid=tbl uid=tbl gid=tbl euid=tbl suid=tbl fsuid=tbl egid=tbl sgid=tbl fsgid=tbl tty=(none) comm=bluez-pin exe=/usr/bin/bluez-pin subj=user_u:system_r:bluetooth_helper_t:s0 type=AVC msg=audit(04/12/2006 08:51:06.697:16) : avc: denied { write } for pid=2854 comm=bluez-pin name=[9329] dev=pipefs ino=9329 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file type=AVC msg=audit(04/12/2006 08:51:06.697:16) : avc: denied { use } for pid=2854 comm=bluez-pin name=[9329] dev=pipefs ino=9329 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd ---- type=AVC_PATH msg=audit(04/12/2006 08:51:18.709:17) : path=/usr/lib/libSDL-1.2.so.0.7.2 type=SYSCALL msg=audit(04/12/2006 08:51:18.709:17) : arch=i386 syscall=mprotect success=yes exit=0 a0=32c7000 a1=71000 a2=5 a3=bf8935c0 items=0 pid=2848 auid=tbl uid=tbl gid=tbl euid=tbl suid=tbl fsuid=tbl egid=tbl sgid=tbl fsgid=tbl tty=(none) comm=ekiga exe=/usr/bin/ekiga subj=user_u:system_r:unconfined_t:s0 type=AVC msg=audit(04/12/2006 08:51:18.709:17) : avc: denied { execmod } for pid=2848 comm=ekiga name=libSDL-1.2.so.0.7.2 dev=dm-0 ino=5803884 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file ---- type=USER_AUTH msg=audit(04/12/2006 08:51:33.050:18) : user pid=2951 uid=tbl auid=tbl msg='PAM: authentication acct=root : exe=/bin/su (hostname=?, addr=?, terminal=pts/1 res=success)' ---- type=USER_ACCT msg=audit(04/12/2006 08:51:33.050:19) : user pid=2951 uid=tbl auid=tbl msg='PAM: accounting acct=root : exe=/bin/su (hostname=?, addr=?, terminal=pts/1 res=success)' ---- type=USER_START msg=audit(04/12/2006 08:51:34.530:20) : user pid=2951 uid=tbl auid=tbl msg='PAM: session open acct=root : exe=/bin/su (hostname=?, addr=?, terminal=pts/1 res=success)' ---- type=CRED_ACQ msg=audit(04/12/2006 08:51:35.178:21) : user pid=2951 uid=tbl auid=tbl msg='PAM: setcred acct=root : exe=/bin/su (hostname=?, addr=?, terminal=pts/1 res=success)' [root at localhost ~]# -- Tom London From dwalsh at redhat.com Wed Apr 12 17:22:42 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 12 Apr 2006 13:22:42 -0400 Subject: Typo in samba_selinux man page In-Reply-To: <1144828128.15058.25.camel@laurel.intra.city-fan.org> References: <1144828128.15058.25.camel@laurel.intra.city-fan.org> Message-ID: <443D3762.2080006@redhat.com> Paul Howarth wrote: > setsebool -P allow_smbd_anon_write 1 > is written as > setsebool -P allow_smb_anon_write=1 > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Where are you seeing this. FC5? It should have been fixed a while ago. From paul at city-fan.org Wed Apr 12 17:27:34 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 12 Apr 2006 18:27:34 +0100 Subject: Typo in samba_selinux man page In-Reply-To: <443D3762.2080006@redhat.com> References: <1144828128.15058.25.camel@laurel.intra.city-fan.org> <443D3762.2080006@redhat.com> Message-ID: <443D3886.5040900@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> setsebool -P allow_smbd_anon_write 1 >> is written as >> setsebool -P allow_smb_anon_write=1 >> >> Paul. >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > Where are you seeing this. FC5? > > It should have been fixed a while ago. Ah, "a while ago" must be the last day or two (or maybe three). My local mirror at work updated to selinux-policy-2.2.29-3.fc5 (which has the fix) but my local mirror at home still had selinux-policy-2.2.25-2.fc5 (which doesn't). Paul. From rmy at tigress.co.uk Wed Apr 12 18:33:26 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Wed, 12 Apr 2006 19:33:26 +0100 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> Stephen Smalley wrote: >On Wed, 2006-04-12 at 09:12 -0500, J. K. Cliburn wrote: >> On 4/12/06, Ron Yorston wrote: >> > "J. K. Cliburn" wrote: >> > >When I try to open a floppy drive in Nautilus, nothing happens except >> > >the following message is logged in /var/log/messages. >> > > >> > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied >> > >{ write } for pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966 >> > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 >> > >tclass=file >> > > >> > >What do I need to do to enable opening the floppy drive? >> > >> >> > chcon -t etc_runtime_t /etc/mtab >> >> Thanks for your reply, Ron. If "ls -Z" already shows etc_runtime_t on >> /etc/mtab, will the chcon you suggest change anything? (Just trying >> to learn.) > >No, it won't relabel if it already has the right type. But from your >avc message, at some earlier point, it had the wrong type (etc_t). The >implication is that some process re-created /etc/mtab at some point >without having a proper type transition, so it was left in etc_t, and >later it was again re-created but this time by a process with a type >transition defined, so that it was put back into etc_runtime_t. And "some process" can be as simple as umount: # ls -Z /etc/mtab -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab # ls -i /etc/mtab 31987 /etc/mtab # umount /opt # ls -Z /etc/mtab -rw-r--r-- root root user_u:object_r:etc_t /etc/mtab # ls -i /etc/mtab 33358 /etc/mtab Ron From sds at tycho.nsa.gov Wed Apr 12 18:43:53 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 12 Apr 2006 14:43:53 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> Message-ID: <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-12 at 19:33 +0100, Ron Yorston wrote: > Stephen Smalley wrote: > >On Wed, 2006-04-12 at 09:12 -0500, J. K. Cliburn wrote: > >> On 4/12/06, Ron Yorston wrote: > >> > "J. K. Cliburn" wrote: > >> > >When I try to open a floppy drive in Nautilus, nothing happens except > >> > >the following message is logged in /var/log/messages. > >> > > > >> > >Apr 11 20:02:02 osprey kernel: audit(1144803722.736:26): avc: denied > >> > >{ write } for pid=6730 comm="mount" name="mtab" dev=hda3 ino=6843966 > >> > >scontext=user_u:system_r:mount_t:s0 tcontext=user_u:object_r:etc_t:s0 > >> > >tclass=file > >> > > > >> > >What do I need to do to enable opening the floppy drive? > >> > > >> > >> > chcon -t etc_runtime_t /etc/mtab > >> > >> Thanks for your reply, Ron. If "ls -Z" already shows etc_runtime_t on > >> /etc/mtab, will the chcon you suggest change anything? (Just trying > >> to learn.) > > > >No, it won't relabel if it already has the right type. But from your > >avc message, at some earlier point, it had the wrong type (etc_t). The > >implication is that some process re-created /etc/mtab at some point > >without having a proper type transition, so it was left in etc_t, and > >later it was again re-created but this time by a process with a type > >transition defined, so that it was put back into etc_runtime_t. > > And "some process" can be as simple as umount: > > # ls -Z /etc/mtab > -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab > # ls -i /etc/mtab > 31987 /etc/mtab > # umount /opt > # ls -Z /etc/mtab > -rw-r--r-- root root user_u:object_r:etc_t /etc/mtab > # ls -i /etc/mtab > 33358 /etc/mtab Hmm...that's interesting. umount should run in the same domain as mount, and they should thus have a type transition on etc_t:file to etc_runtime_t. ls -Z /bin/umount -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Apr 12 18:49:36 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 12 Apr 2006 14:49:36 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-12 at 14:43 -0400, Stephen Smalley wrote: > > And "some process" can be as simple as umount: > > > > # ls -Z /etc/mtab > > -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab > > # ls -i /etc/mtab > > 31987 /etc/mtab > > # umount /opt > > # ls -Z /etc/mtab > > -rw-r--r-- root root user_u:object_r:etc_t /etc/mtab > > # ls -i /etc/mtab > > 33358 /etc/mtab > > Hmm...that's interesting. umount should run in the same domain as > mount, and they should thus have a type transition on etc_t:file to > etc_runtime_t. ls -Z /bin/umount Looks like there is no transition defined into mount_t from unconfined_t? So umount and mount are just run in unconfined_t? And unconfined_t lacks the type transition? -- Stephen Smalley National Security Agency From rhallyx at mindspring.com Wed Apr 12 20:52:34 2006 From: rhallyx at mindspring.com (Richard Hally) Date: Wed, 12 Apr 2006 16:52:34 -0400 Subject: rawhide update errors Message-ID: <443D6892.1060400@mindspring.com> Do the following errors need to be bugzilled? Updating : selinux-policy-targeted ####################### [18/54] /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed! Updating : mesa-libGLw-devel ####################### [19/54] Updating : libselinux-devel ####################### [20/54] Updating : postfix ####################### [21/54] Updating : vim-minimal ###################### [22/54]warning: /etc/vimrc created as /etc/vimrc.rpmnew Updating : vim-minimal ####################### [22/54] Updating : vim-X11 ####################### [23/54] Updating : synaptics ####################### [24/54] Updating : selinux-policy-strict ####################### [25/54] libsepol.scope_copy_callback: authlogin: Duplicate declaration in module: type/attribute system_chkpwd_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! Updating : gnupg ################### From Valdis.Kletnieks at vt.edu Wed Apr 12 21:28:55 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Wed, 12 Apr 2006 17:28:55 -0400 Subject: rawhide update errors In-Reply-To: Your message of "Wed, 12 Apr 2006 16:52:34 EDT." <443D6892.1060400@mindspring.com> References: <443D6892.1060400@mindspring.com> Message-ID: <200604122128.k3CLStTP015886@turing-police.cc.vt.edu> On Wed, 12 Apr 2006 16:52:34 EDT, Richard Hally said: > Updating : selinux-policy-targeted ####################### [18/54] > /usr/sbin/load_policy: Can't load policy: Invalid argument > libsemanage.semanage_reload_policy: load_policy returned error code 2. > semodule: Failed! I'm going to guess this is due to you also having strict installed - if strict was the active policy, the attempt to load targeted in mid-stream may well fail. > Updating : selinux-policy-strict ####################### [25/54] > libsepol.scope_copy_callback: authlogin: Duplicate declaration in > module: type/attribute system_chkpwd_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! I reported this one on the list the other day... 2.2.30 still has the problem. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From rhally at mindspring.com Thu Apr 13 03:35:57 2006 From: rhally at mindspring.com (Richard Hally) Date: Wed, 12 Apr 2006 23:35:57 -0400 Subject: rawhide update errors In-Reply-To: <200604122128.k3CLStTP015886@turing-police.cc.vt.edu> References: <443D6892.1060400@mindspring.com> <200604122128.k3CLStTP015886@turing-police.cc.vt.edu> Message-ID: <443DC71D.9000801@mindspring.com> Valdis.Kletnieks at vt.edu wrote: > On Wed, 12 Apr 2006 16:52:34 EDT, Richard Hally said: >> Updating : selinux-policy-targeted ####################### [18/54] >> /usr/sbin/load_policy: Can't load policy: Invalid argument >> libsemanage.semanage_reload_policy: load_policy returned error code 2. >> semodule: Failed! > > I'm going to guess this is due to you also having strict installed - if strict > was the active policy, the attempt to load targeted in mid-stream may well fail. > Nope, targeted is the active policy(in permissive). >> Updating : selinux-policy-strict ####################### [25/54] >> libsepol.scope_copy_callback: authlogin: Duplicate declaration in >> module: type/attribute system_chkpwd_t >> libsemanage.semanage_link_sandbox: Link packages failed >> semodule: Failed! > > I reported this one on the list the other day... 2.2.30 still has the problem. > > OK, Sorry I missed seeing it. From paul at city-fan.org Thu Apr 13 07:36:05 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 13 Apr 2006 08:36:05 +0100 Subject: Create new types in modules? Message-ID: <1144913765.23369.30.camel@laurel.intra.city-fan.org> Is it possible to create new context types in a loadable module? Here's why I ask: I'm trying to use mock to build packages on FC5 targeted at older distributions, like Red Hat 8 for instance (more on mock at http://fedoraproject.org/wiki/Legacy/Mock and http://fedoraproject.org/wiki/Projects/Mock). What mock basically does is to create a chroot with a build environment for the target distribution and runs a regular rpm build within that chroot, pulling in the other distro's binaries, shared libraries, etc. Mock's approach to SELinux is simple: it loads a dummy libselinux that effectively turns it off. However, with FC5, this no longer seems to be enough. The memory tests don't like loading ancient DSO's that don't have separate stack segments and so some builds fail with execmod errors. I tried using semanage to set the default context for .so.* files under the chroot to textrel_shlib_t but although restorecon targeted those files properly, the contexts weren't set properly within the chrooted build (would I have to remove the chroot prefix in the semanage call to get that to work? it's not something I want to do as I'll get the wrong contexts on files in the host system that way). So, my idea was to define everything under my chroot as a new type, mock_root_t, and then have a module like this: module mock 0.2; require { class file execmod; type unconfined_t; type mock_root_t; }; allow unconfined_t mock_root_t:file execmod; However, I can't load this module using semodule because mock_root_t doesn't exist. So is there a way of defining a new type in a module? Paul. From gauret at free.fr Thu Apr 13 08:10:25 2006 From: gauret at free.fr (Aurelien Bompard) Date: Thu, 13 Apr 2006 10:10:25 +0200 Subject: Support for the NX client Message-ID: Hi all, To have the (proprietary) NX client from http://nomachine.com work on FC5 with SELinux on, I had to run "setsebool allow_execmod 1" Then the NX client works, and I turn it back off afterwards. It works, but there should be a better way The lib causing the problem is /usr/NX/lib/libXcomp.so.1, and I found today in the wiki a possible cleaner way to do it. From: http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions#head-fe3507917e40f867c7ebd26c75c18364ab40b708 I should be able to run "chcon -t testrel_shlib_t /usr/NX/lib/libXcomp.so.1" and make it work. Except this commands gives me : chcon: failed to change context of /usr/NX/lib/libXcomp.so.1 to system_u:object_r:testrel_shlib_t: Invalid argument Is this type not valid on FC5 ? Which leads me to: how can I list the available types on the system ? Thanks Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "Backups are for wimps. Real men upload their work to an ftp server and have everybody mirror it." -- Linus Torvalds From Frederick.New at MicroLink.ee Thu Apr 13 08:18:54 2006 From: Frederick.New at MicroLink.ee (Frederick New) Date: Thu, 13 Apr 2006 11:18:54 +0300 Subject: Support for the NX client Message-ID: On 13. aprill 2006. a. 11:10, Aurelien Bompard wrote: > > I should be able to run "chcon -t testrel_shlib_t > /usr/NX/lib/libXcomp.so.1" > and make it work. Except this commands gives me : > > chcon: failed to change context of /usr/NX/lib/libXcomp.so.1 to > system_u:object_r:testrel_shlib_t: Invalid argument > > Is this type not valid on FC5 ? Which leads me to: how can I list the > available types on the system ? This is a small typo in the wiki. It should be textrel_shlib_t. Fred From paul at city-fan.org Thu Apr 13 08:24:11 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 13 Apr 2006 09:24:11 +0100 Subject: Support for the NX client In-Reply-To: References: Message-ID: <1144916651.23369.40.camel@laurel.intra.city-fan.org> On Thu, 2006-04-13 at 11:18 +0300, Frederick New wrote: > On 13. aprill 2006. a. 11:10, Aurelien Bompard wrote: > > > > I should be able to run "chcon -t testrel_shlib_t > > /usr/NX/lib/libXcomp.so.1" > > and make it work. Except this commands gives me : > > > > chcon: failed to change context of /usr/NX/lib/libXcomp.so.1 to > > system_u:object_r:testrel_shlib_t: Invalid argument > > > > Is this type not valid on FC5 ? Which leads me to: how can I list the > > available types on the system ? > > This is a small typo in the wiki. It should be textrel_shlib_t. I just fixed the typo in the wiki. Unfortunately the error crept into the released FAQ at http://fedora.redhat.com/docs/selinux-faq-fc5/ too but I see that that's been fixed now as well. Paul. From gauret at free.fr Thu Apr 13 08:37:42 2006 From: gauret at free.fr (Aurelien Bompard) Date: Thu, 13 Apr 2006 10:37:42 +0200 Subject: Support for the NX client References: Message-ID: > This is a small typo in the wiki. It should be textrel_shlib_t. OK, thanks. For the record, to have the NX client work on FC-5, one have to run : chcon -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 /usr/NX/lib/libjpeg.so.62 I'll contact them to have them add this to their rpm, together with the corresponding semanage call, which should be : semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libjpeg.so.62 Thanks for your help Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr Unix IS user-friendly. It is just very picky about who his friends are. From paul at city-fan.org Thu Apr 13 09:20:46 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 13 Apr 2006 10:20:46 +0100 Subject: Support for the NX client In-Reply-To: References: Message-ID: <443E17EE.3010604@city-fan.org> Aurelien Bompard wrote: >> This is a small typo in the wiki. It should be textrel_shlib_t. > > OK, thanks. For the record, to have the NX client work on FC-5, one have to > run : > chcon -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 /usr/NX/lib/libjpeg.so.62 > > I'll contact them to have them add this to their rpm, together with the > corresponding semanage call, which should be : > semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 > semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libjpeg.so.62 I doubt that they'd want to put FC5-specific stuff in a package that was meant for multiple distributions. And if the package was supposed to be for FC5 specifically, there would no need to ship libjpeg.so.62 (which is part of core), nor would there be a need for that library to be textrel_shlib_t (the core version built using FC5 %{optflags} isn't). Paul. From gauret at free.fr Thu Apr 13 10:06:12 2006 From: gauret at free.fr (Aurelien Bompard) Date: Thu, 13 Apr 2006 12:06:12 +0200 Subject: Support for the NX client References: <443E17EE.3010604@city-fan.org> Message-ID: Paul Howarth wrote: > Aurelien Bompard wrote: >>> This is a small typo in the wiki. It should be textrel_shlib_t. >> >> OK, thanks. For the record, to have the NX client work on FC-5, one have >> to run : >> chcon -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 >> /usr/NX/lib/libjpeg.so.62 >> >> I'll contact them to have them add this to their rpm, together with the >> corresponding semanage call, which should be : >> semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 >> semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libjpeg.so.62 > > I doubt that they'd want to put FC5-specific stuff in a package that was > meant for multiple distributions. They already do. The rpm is meant for multiple distributions, and the scriptlets handle the different cases. $ rpm -q --scripts nxclient | wc -l 527 Yes, scary, but that happens a lot with proprietary packages. Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr L'exp?rience est quelquechose que l'on acquiert juste apr?s en avoir eu besoin. From sds at tycho.nsa.gov Thu Apr 13 12:08:40 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 13 Apr 2006 08:08:40 -0400 Subject: Create new types in modules? In-Reply-To: <1144913765.23369.30.camel@laurel.intra.city-fan.org> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> Message-ID: <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-13 at 08:36 +0100, Paul Howarth wrote: > Is it possible to create new context types in a loadable module? Yes. Just declare them outside of a requires block (requires blocks are just for symbols that your module requires to be defined by the base or another module, not for symbols it defines itself). > Here's why I ask: > > I'm trying to use mock to build packages on FC5 targeted at older > distributions, like Red Hat 8 for instance (more on mock at > http://fedoraproject.org/wiki/Legacy/Mock and > http://fedoraproject.org/wiki/Projects/Mock). What mock basically does > is to create a chroot with a build environment for the target > distribution and runs a regular rpm build within that chroot, pulling in > the other distro's binaries, shared libraries, etc. > > Mock's approach to SELinux is simple: it loads a dummy libselinux that > effectively turns it off. Not likely to work under any policy other than targeted. Dummy libselinux can only turn off userland SELinux processing; it wouldn't affect the kernel enforcement mechanism, so the process would still be subjected to permission checks and a failure to transition properly due to the disabled userland code could still lead to denials. > However, with FC5, this no longer seems to be enough. The memory tests > don't like loading ancient DSO's that don't have separate stack segments > and so some builds fail with execmod errors. I tried using semanage to > set the default context for .so.* files under the chroot to > textrel_shlib_t but although restorecon targeted those files properly, > the contexts weren't set properly within the chrooted build (would I > have to remove the chroot prefix in the semanage call to get that to > work? it's not something I want to do as I'll get the wrong contexts on > files in the host system that way). rpm likely doesn't even try setting the contexts on the files because the dummy libselinux is likely telling it that SELinux isn't enabled (via is_selinux_enabled() < 0). In fact, that happens anyway under a chroot if you don't mount proc under it (and you also typically need selinuxfs as well). rpm --root has similar problems which no one has yet resolved. > So, my idea was to define everything under my chroot as a new type, > mock_root_t, and then have a module like this: > > module mock 0.2; > > require { > class file execmod; > > type unconfined_t; > type mock_root_t; > }; Move the mock_root_t type decl outside of the requires block. > allow unconfined_t mock_root_t:file execmod; > > However, I can't load this module using semodule because mock_root_t > doesn't exist. So is there a way of defining a new type in a module? Yes, as above. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Apr 13 12:20:21 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 13 Apr 2006 08:20:21 -0400 Subject: Create new types in modules? In-Reply-To: <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote: > > So, my idea was to define everything under my chroot as a new type, > > mock_root_t, and then have a module like this: > > > > module mock 0.2; > > > > require { > > class file execmod; > > > > type unconfined_t; > > type mock_root_t; > > }; > > Move the mock_root_t type decl outside of the requires block. Oh, and you should really do it like this (similar to my prior discussion about creating a policy module for the samba issue): $ mkdir mock $ cd mock $ vi mock.te i(nsert) policy_module(mock, 0.2) require { type unconfined_t; }; type mock_root_t; files_type(mock_root_t) # allow this type to be used for files allow unconfined_t mock_root_t:file execmod; :wq $ touch mock.if mock.fc $ make -f /usr/share/selinux/devel/Makefile $ su # semodule -i mock.pp Chad and Dan, can we get this kind of example (and/or the prior one I created for the samba issue) added to the FAQ? Otherwise, people don't have good examples to follow. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Apr 13 12:25:20 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 13 Apr 2006 08:25:20 -0400 Subject: Create new types in modules? In-Reply-To: <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144931120.7020.24.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-13 at 08:20 -0400, Stephen Smalley wrote: > On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote: > > > So, my idea was to define everything under my chroot as a new type, > > > mock_root_t, and then have a module like this: > > > > > > module mock 0.2; > > > > > > require { > > > class file execmod; > > > > > > type unconfined_t; > > > type mock_root_t; > > > }; > > > > Move the mock_root_t type decl outside of the requires block. > > Oh, and you should really do it like this (similar to my prior > discussion about creating a policy module for the samba issue): > $ mkdir mock > $ cd mock > $ vi mock.te > i(nsert) > policy_module(mock, 0.2) > > require { > type unconfined_t; > }; > > type mock_root_t; > files_type(mock_root_t) # allow this type to be used for files > allow unconfined_t mock_root_t:file execmod; > :wq Two key points about the above module source vs. what you posted: 1) Use policy_module macro/interface rather than just a direct module decl - this needs to be updated in all refpolicy documentation. It brings in additional content including require statements for the kernel classes and permissions so that you don't have to do that. 2) When you define a new type, you have to assign it appropriate attributes, and in refpolicy, this is done by using an appropriate interface like files_type or domain_type. Interfaces are located under /usr/share/selinux/devel/include and are documented under /usr/share/doc/selinux-policy-x.y.z/html as well as on the refpolicy sourceforge site (http://serefpolicy.sf.net). > $ touch mock.if mock.fc > $ make -f /usr/share/selinux/devel/Makefile > $ su > # semodule -i mock.pp > > Chad and Dan, can we get this kind of example (and/or the prior one I > created for the samba issue) added to the FAQ? Otherwise, people don't > have good examples to follow. -- Stephen Smalley National Security Agency From paul at city-fan.org Thu Apr 13 13:17:23 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 13 Apr 2006 14:17:23 +0100 Subject: Create new types in modules? In-Reply-To: <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <443E4F63.8010306@city-fan.org> Stephen Smalley wrote: > On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote: >>> So, my idea was to define everything under my chroot as a new type, >>> mock_root_t, and then have a module like this: >>> >>> module mock 0.2; >>> >>> require { >>> class file execmod; >>> >>> type unconfined_t; >>> type mock_root_t; >>> }; >> Move the mock_root_t type decl outside of the requires block. > > Oh, and you should really do it like this (similar to my prior > discussion about creating a policy module for the samba issue): > $ mkdir mock > $ cd mock > $ vi mock.te > i(nsert) > policy_module(mock, 0.2) > > require { > type unconfined_t; > }; > > type mock_root_t; > files_type(mock_root_t) # allow this type to be used for files > allow unconfined_t mock_root_t:file execmod; > :wq > $ touch mock.if mock.fc > $ make -f /usr/share/selinux/devel/Makefile > $ su > # semodule -i mock.pp Excellent - thanks. Now why isn't this doing what I expect: # semanage fcontext -a -t mock_root_t \ /usr/share/fsdata/mock/'[^/]*/root(/.*)?' # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core drwxrwsr-x paul mock user_u:object_r:usr_t result drwxr-sr-x root mock root:object_r:usr_t root drwxrwsr-x paul mock user_u:object_r:usr_t state # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root context root:object_r:usr_t->system_u:object_r:mock_root_t # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core drwxrwsr-x paul mock user_u:object_r:usr_t result drwxr-sr-x root mock system_u:object_r:mock_root_t root drwxrwsr-x paul mock user_u:object_r:usr_t state Why doesn't the directory /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type mock_root_t in the first place rather than having to do the restorecon on it? I suspect this is why Aurelien's %pre script in the awstats package failed too. Paul. From selinux at gmail.com Thu Apr 13 14:46:15 2006 From: selinux at gmail.com (Tom London) Date: Thu, 13 Apr 2006 07:46:15 -0700 Subject: prelink and java_exec_t Message-ID: <4c4ba1530604130746w11cc152excd7f1fed6516652f@mail.gmail.com> Get this from latest rawhide policy: type=AVC msg=audit(1144938632.660:3574): avc: denied { read } for pid=4722 comm="prelink" name="gij" dev=dm-0 ino=5795535 scontext=system_u:system_r:prelink_t:s0 tcontext=system_u:object_r:java_exec_t:s0 tclass=file type=SYSCALL msg=audit(1144938632.660:3574): arch=40000003 syscall=5 success=no exit=-13 a0=8e9f9a0 a1=8000 a2=0 a3=0 items=1 pid=4722 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0 type=CWD msg=audit(1144938632.660:3574): cwd="/" type=PATH msg=audit(1144938632.660:3574): item=0 name="/usr/bin/gij" inode=5795535 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:java_exec_t:s0 type=AVC msg=audit(1144938638.996:3575): avc: denied { read } for pid=4722 comm="prelink" name="gcj-dbtool" dev=dm-0 ino=5801815 scontext=system_u:system_r:prelink_t:s0 tcontext=system_u:object_r:java_exec_t:s0 tclass=file type=SYSCALL msg=audit(1144938638.996:3575): arch=40000003 syscall=5 success=no exit=-13 a0=8e9f9a0 a1=8000 a2=0 a3=0 items=1 pid=4722 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=system_u:system_r:prelink_t:s0 type=CWD msg=audit(1144938638.996:3575): cwd="/" type=PATH msg=audit(1144938638.996:3575): item=0 name="/usr/bin/gcj-dbtool" inode=5801815 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:java_exec_t:s0 tom -- Tom London From jcliburn at gmail.com Thu Apr 13 15:25:03 2006 From: jcliburn at gmail.com (J. K. Cliburn) Date: Thu, 13 Apr 2006 10:25:03 -0500 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> On 4/12/06, Stephen Smalley wrote: > On Wed, 2006-04-12 at 14:43 -0400, Stephen Smalley wrote: > > > And "some process" can be as simple as umount: > > > > > > # ls -Z /etc/mtab > > > -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab > > > # ls -i /etc/mtab > > > 31987 /etc/mtab > > > # umount /opt > > > # ls -Z /etc/mtab > > > -rw-r--r-- root root user_u:object_r:etc_t /etc/mtab > > > # ls -i /etc/mtab > > > 33358 /etc/mtab > > > > Hmm...that's interesting. umount should run in the same domain as > > mount, and they should thus have a type transition on etc_t:file to > > etc_runtime_t. ls -Z /bin/umount > > Looks like there is no transition defined into mount_t from > unconfined_t? So umount and mount are just run in unconfined_t? And > unconfined_t lacks the type transition? Sorry to be a pest, but what action do I need to take on my system to enable correct floppy drive mounting and unmounting? From jcliburn at gmail.com Thu Apr 13 15:27:38 2006 From: jcliburn at gmail.com (J. K. Cliburn) Date: Thu, 13 Apr 2006 10:27:38 -0500 Subject: postmap command avc: denied messages In-Reply-To: <443C24C9.7060200@redhat.com> References: <3400f2f60604101125x28e84ee3l753797dc01403b19@mail.gmail.com> <443C24C9.7060200@redhat.com> Message-ID: <3400f2f60604130827o4916a406jb34b053e0c2abb82@mail.gmail.com> On 4/11/06, Daniel J Walsh wrote: > J. K. Cliburn wrote: > > First, should I file a bugzilla for this? > > > > Second, is there a workaround? Oddly, it didn't seem to impede the > > completion of the postmap command. > > > Are you running in permissive mode? > > These messages probably would not appear in enforcing mode and there > fore can be ignored. I'm running in enforcing mode, yet the messages appear in my syslog. This was the motivation for my "Oddly, ..." statement in the OP. From sds at tycho.nsa.gov Thu Apr 13 15:52:54 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 13 Apr 2006 11:52:54 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> Message-ID: <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-13 at 10:25 -0500, J. K. Cliburn wrote: > On 4/12/06, Stephen Smalley wrote:> On Wed, > 2006-04-12 at 14:43 -0400, Stephen Smalley wrote:> > > And "some > process" can be as simple as umount:> > >> > > # ls -Z /etc/mtab> > > > -rw-r--r-- root root > system_u:object_r:etc_runtime_t /etc/mtab> > > # ls -i /etc/mtab> > > > 31987 /etc/mtab> > > # umount /opt> > > # ls > -Z /etc/mtab> > > -rw-r--r-- root root > user_u:object_r:etc_t /etc/mtab> > > # ls -i /etc/mtab> > > > 33358 /etc/mtab> >> > Hmm...that's interesting. umount should > run in the same domain as> > mount, and they should thus have a type > transition on etc_t:file to> > etc_runtime_t. ls -Z /bin/umount>> > Looks like there is no transition defined into mount_t from> > unconfined_t? So umount and mount are just run in unconfined_t? And> > unconfined_t lacks the type transition? > Sorry to be a pest, but what action do I need to take on my system > toenable correct floppy drive mounting and unmounting? Seems like a policy bug (omission of a transition from unconfined_t to mount_t) to me. Otherwise, /etc/mtab is going to lose its type every time you run mount/umount from the shell. Dan? -- Stephen Smalley National Security Agency From kiwibee at usrbin.org Thu Apr 13 16:41:25 2006 From: kiwibee at usrbin.org (Jean-Christophe Choisy) Date: Thu, 13 Apr 2006 12:41:25 -0400 Subject: Oracle-XE on FC5 Message-ID: <83A9C1CA-FAA8-45CF-A1ED-4AE849275031@usrbin.org> Hello, I've been trying to install and use Oracle-XE (express edition) on Fedora Core 5. I failed at it. The rpm installs fine of course, but the initial configuration fails. The script invoked fails to create some directories, the database is never created and so on... I tried to fix it myself and found some 'execmod' avc's in audit.log, then chcon'd the respective .so files. Still, after fixing all of the reported ones, it still doesn't work and leaves me rather clueless as to why. Switching to permissive mode indeed solves it all. I would really like to keep selinux in enforcing mode, and I guess I'm missing something rather simple here... Has anyone got oracle-xe running in fc5 with selinux enforcing? (targeted policy). Thanks. From idonttrustmspassport at ktcasey.plus.com Thu Apr 13 16:52:51 2006 From: idonttrustmspassport at ktcasey.plus.com (idonttrustmspassport at ktcasey.plus.com) Date: Thu, 13 Apr 2006 17:52:51 +0100 Subject: SElinux Removal? Message-ID: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> Is it possible to remove SELinux completely during FC5 installation, or even when installed? So far problems during YUM updates (It gives errors while installing policies then freezes Yum) have destroyed my system twice. (In both cases the system refuses to boot with an error "not syncing: Attempting to kill init!". Passing a parm of selinux=disabled to the kernel allowed a boot, but all my attempts to make this permanent then fail and I end up reinstalling and reconfiguring. I *cannot* complain that it is insecure, I can't even edit the files to disable it more permanently from the rescue function.. My problem is that for the systems I build it is overkill at the "BFG to kill a flea level"... I admit to being a newbie, I only started 10 years ago, *never* had anything so good at locking down my PC, it seems to be a first class option for DRM.. So, can I get rid of it completely, 1) I tried uninstalling everything with SELinux in the name, interesting effect try it one day when you have some time... 2) Tried the gui tool, (as a minimum I thought I'd turn it to the lowest level) it brings up a command prompt which freezes... 3) Tried editing the files to disable it at reboot, fails with "file is read only", chmod failed with "file is read only", chmod of the directory failed with "read only".. Is there any chance that, as a minimum it could give an error message like "SELinux configuration is corrupt, boot halted" as it took me a loooooong time to figure out what was wrong... And is there a documented process to handle a situation where the configuration is corrupted (accidentally or during an update) and the whole system is locked? Don't (Please don't) take this in the wrong way, I quite like FC5 apart from the effects of the new security, and I am sure there are people that need this, it's just for me the cure is proving much worse than the disease. Keiron Casey From smooge at gmail.com Thu Apr 13 17:00:32 2006 From: smooge at gmail.com (Stephen J. Smoogen) Date: Thu, 13 Apr 2006 11:00:32 -0600 Subject: Oracle-XE on FC5 In-Reply-To: <83A9C1CA-FAA8-45CF-A1ED-4AE849275031@usrbin.org> References: <83A9C1CA-FAA8-45CF-A1ED-4AE849275031@usrbin.org> Message-ID: <80d7e4090604131000s6c606794ube43857687132dce@mail.gmail.com> On 4/13/06, Jean-Christophe Choisy wrote: > Hello, > > I've been trying to install and use Oracle-XE (express edition) on > Fedora Core 5. I failed at it. The rpm installs fine of course, but > the initial configuration fails. The script invoked fails to create > some directories, the database is never created and so on... > > I tried to fix it myself and found some 'execmod' avc's in audit.log, > then chcon'd the respective .so files. Still, after fixing all of the > reported ones, it still doesn't work and leaves me rather clueless as > to why. Switching to permissive mode indeed solves it all. > Could you post the avc's .. maybe an audit2allow -a to get an idea of what was beeing seen. > I would really like to keep selinux in enforcing mode, and I guess > I'm missing something rather simple here... Has anyone got oracle-xe > running in fc5 with selinux enforcing? (targeted policy). > > Thanks. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- Stephen J Smoogen. CSIRT/Linux System Administrator From rdieter at math.unl.edu Thu Apr 13 17:01:36 2006 From: rdieter at math.unl.edu (Rex Dieter) Date: Thu, 13 Apr 2006 12:01:36 -0500 Subject: SElinux Removal? References: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> Message-ID: idonttrustmspassport at ktcasey.plus.com wrote: > Is it possible to remove SELinux completely during FC5 installation, or > even when installed? edit /etc/sysconfig/selinux, set SELINUX=permissive or more drastic SELINUX=disabled -- Rex From sds at tycho.nsa.gov Thu Apr 13 17:08:38 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 13 Apr 2006 13:08:38 -0400 Subject: SElinux Removal? In-Reply-To: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> References: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> Message-ID: <1144948118.8865.53.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-13 at 17:52 +0100, idonttrustmspassport at ktcasey.plus.com wrote: > Is it possible to remove SELinux completely during FC5 installation, or > even when installed? Disable, yes. Remove, no. > So far problems during YUM updates (It gives errors while installing > policies then freezes Yum) have destroyed my system twice. > (In both cases the system refuses to boot with an error "not syncing: > Attempting to kill init!". Hmm..well, more details wold be interesting as that should obviously not be happening and hasn't been reported elsewhere AFAIK. bugzilla even. > Passing a parm of selinux=disabled to the kernel allowed a boot, but all my > attempts to make this permanent then fail and I end up reinstalling and > reconfiguring. selinux=0 on the kernel line in grub.conf or SELINUX=disabled in /etc/selinux/config should do the trick. > I admit to being a newbie, I only started 10 years ago, *never* had > anything so good at locking down my PC, it seems to be a first class option > for DRM.. Um, no. MAC != DRM. > So, can I get rid of it completely, > 1) I tried uninstalling everything with SELinux in the name, interesting > effect try it one day when you have some time... Not feasible, as the SELinux kernel "module" is built into the kernel, and libselinux is a dependency for /sbin/init, coreutils, and other critical components. You can't remove the code without rebuilding everything, but you can disable its execution. > 2) Tried the gui tool, (as a minimum I thought I'd turn it to the lowest > level) it brings up a command prompt which freezes... > 3) Tried editing the files to disable it at reboot, fails with "file is > read only", chmod failed with "file is read only", chmod of the directory > failed with "read only".. Sound like the filesystem is mounted read-only, not SELinux-related at all. mount -o rw,remount /? If you booted with selinux=0, then SELinux is disabled. > Is there any chance that, as a minimum it could give an error message like > "SELinux configuration is corrupt, boot halted" as it took me a loooooong > time to figure out what was wrong... Hmmm.../sbin/init does contain a log call to output 'Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.' Don't know if there is a problem that is preventing that from being displayed properly. > And is there a documented process to > handle a situation where the configuration is corrupted (accidentally or > during an update) and the whole system is locked? Boot with enforcing=0 is usually sufficient, or selinux=0 if that doesn't work. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Apr 13 17:09:39 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 13 Apr 2006 13:09:39 -0400 Subject: SElinux Removal? In-Reply-To: <1144948118.8865.53.camel@moss-spartans.epoch.ncsc.mil> References: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> <1144948118.8865.53.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1144948179.8865.55.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-13 at 13:08 -0400, Stephen Smalley wrote: > On Thu, 2006-04-13 at 17:52 +0100, idonttrustmspassport at ktcasey.plus.com > wrote: > > Is it possible to remove SELinux completely during FC5 installation, or > > even when installed? > > Disable, yes. Remove, no. > > > So far problems during YUM updates (It gives errors while installing > > policies then freezes Yum) have destroyed my system twice. > > (In both cases the system refuses to boot with an error "not syncing: > > Attempting to kill init!". > > Hmm..well, more details wold be interesting as that should obviously not > be happening and hasn't been reported elsewhere AFAIK. bugzilla even. > > > Passing a parm of selinux=disabled to the kernel allowed a boot, but all my > > attempts to make this permanent then fail and I end up reinstalling and > > reconfiguring. > > selinux=0 on the kernel line in grub.conf or SELINUX=disabled > in /etc/selinux/config should do the trick. Oh, and you should have been able to disable it at install time too. anaconda does ask about it. -- Stephen Smalley National Security Agency From rmy at tigress.co.uk Thu Apr 13 17:35:16 2006 From: rmy at tigress.co.uk (Ron Yorston) Date: Thu, 13 Apr 2006 18:35:16 +0100 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> Stephen Smalley wrote: >Seems like a policy bug (omission of a transition from unconfined_t to >mount_t) to me. Otherwise, /etc/mtab is going to lose its type every >time you run mount/umount from the shell. Dan? Just a clarification (or confusion): it's only umount that causes the problem. mount doesn't create a new /etc/mtab file and doesn't change the context: # ls -Z /etc/mtab -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab # ls -i /etc/mtab 33032 /etc/mtab # mount /opt # ls -Z /etc/mtab -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab # ls -i /etc/mtab 33032 /etc/mtab # Ron From sds at tycho.nsa.gov Thu Apr 13 18:00:52 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 13 Apr 2006 14:00:52 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> Message-ID: <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-13 at 18:35 +0100, Ron Yorston wrote: > Stephen Smalley wrote: > >Seems like a policy bug (omission of a transition from unconfined_t to > >mount_t) to me. Otherwise, /etc/mtab is going to lose its type every > >time you run mount/umount from the shell. Dan? > > Just a clarification (or confusion): it's only umount that causes the > problem. mount doesn't create a new /etc/mtab file and doesn't change > the context: > > # ls -Z /etc/mtab > -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab > # ls -i /etc/mtab > 33032 /etc/mtab > # mount /opt > # ls -Z /etc/mtab > -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab > # ls -i /etc/mtab > 33032 /etc/mtab > # Ah, ok. strace of mount and umount suggests that mount just writes/appends to the existing file in place while umount creates a new file without the entry and then replaces the original file via rename. Which would explain why mount doesn't disturb the type but umount does. Regardless, I think it makes sense to have unconfined_t transition to mount_t. -- Stephen Smalley National Security Agency From mc-al34luc at sbcglobal.net Thu Apr 13 20:02:52 2006 From: mc-al34luc at sbcglobal.net (Mike Carney) Date: Thu, 13 Apr 2006 13:02:52 -0700 Subject: FC5: what context should I use for extra ext3 filesystems? Message-ID: Greetings, I've got a couple of extra filesystems I use for various reasons which currently have a default_t context. I mount them under a new directory "/export", which I've set to mnt_t: /dev/sda9 on /export/0 type ext3 (rw) /dev/sdb9 on /export/1 type ext3 (rw) /dev/sdb10 on /export/2 type ext3 (rw) 203# ls -dZ /export /export/* drwxr-xr-x root root system_u:object_r:mnt_t /export/ drwxr-xr-x root root system_u:object_r:default_t /export/0/ drwxr-xr-x root root system_u:object_r:default_t /export/1/ drwxr-xr-x root root system_u:object_r:default_t /export/2/ 204# Any guidance as to what context should I set these file system mount points to? mnt_t? usr_t? How do I specify using semanage that I don't want the relabel to propogate to subdirectories? (e.g., <>). Thanks in advance, Mike From gauret at free.fr Fri Apr 14 07:05:33 2006 From: gauret at free.fr (Aurelien Bompard) Date: Fri, 14 Apr 2006 09:05:33 +0200 Subject: SELinux and RPM Packaging Message-ID: Hi *, I've put up a page on the Fedora wiki to help packagers deal with SELinux support from FC5 onwards : http://fedoraproject.org/wiki/Packaging/SELinux It gathers solutions I've read on this list and in the FAQs. Please have a look at it, check it for mistakes, and add new use cases when you find some. And since I'm not a native english speaker, there probably are mistakes all over the page, so feel free to edit to your heart's content (event when it is grammatically correct but "sounds weird"). I hope this page can become a reference for RPM packagers in the future. Thanks, Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "Never test for an error condition you don't know how to handle." -- Steinbach's Guideline for Systems Programming From dwalsh at redhat.com Fri Apr 14 12:54:11 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 08:54:11 -0400 Subject: Create new types in modules? In-Reply-To: <443E4F63.8010306@city-fan.org> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> <443E4F63.8010306@city-fan.org> Message-ID: <443F9B73.8070302@redhat.com> Paul Howarth wrote: > Stephen Smalley wrote: >> On Thu, 2006-04-13 at 08:08 -0400, Stephen Smalley wrote: >>>> So, my idea was to define everything under my chroot as a new type, >>>> mock_root_t, and then have a module like this: >>>> >>>> module mock 0.2; >>>> >>>> require { >>>> class file execmod; >>>> >>>> type unconfined_t; >>>> type mock_root_t; >>>> }; >>> Move the mock_root_t type decl outside of the requires block. >> >> Oh, and you should really do it like this (similar to my prior >> discussion about creating a policy module for the samba issue): >> $ mkdir mock >> $ cd mock >> $ vi mock.te >> i(nsert) >> policy_module(mock, 0.2) >> >> require { >> type unconfined_t; >> }; >> >> type mock_root_t; >> files_type(mock_root_t) # allow this type to be used for files >> allow unconfined_t mock_root_t:file execmod; >> :wq >> $ touch mock.if mock.fc >> $ make -f /usr/share/selinux/devel/Makefile >> $ su >> # semodule -i mock.pp > > Excellent - thanks. > > Now why isn't this doing what I expect: > > # semanage fcontext -a -t mock_root_t \ > /usr/share/fsdata/mock/'[^/]*/root(/.*)?' > # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root > # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core > drwxrwsr-x paul mock user_u:object_r:usr_t result > drwxr-sr-x root mock root:object_r:usr_t root > drwxrwsr-x paul mock user_u:object_r:usr_t state > # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root > restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root > context root:object_r:usr_t->system_u:object_r:mock_root_t > # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core > drwxrwsr-x paul mock user_u:object_r:usr_t result > drwxr-sr-x root mock system_u:object_r:mock_root_t root > drwxrwsr-x paul mock user_u:object_r:usr_t state > > Why doesn't the directory > /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type > mock_root_t in the first place rather than having to do the restorecon > on it? > You need to tell mkdir which context to create it with or write a transition rule in policy that says when context ABC_t creates files in directories labeled DEF_T, create them GEH_T. You can also look ad mkdir -Z. > I suspect this is why Aurelien's %pre script in the awstats package > failed too. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Apr 14 12:58:48 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 08:58:48 -0400 Subject: Support for the NX client In-Reply-To: References: Message-ID: <443F9C88.3060908@redhat.com> Aurelien Bompard wrote: >> This is a small typo in the wiki. It should be textrel_shlib_t. >> > > OK, thanks. For the record, to have the NX client work on FC-5, one have to > run : > chcon -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 /usr/NX/lib/libjpeg.so.62 > > I'll contact them to have them add this to their rpm, together with the > corresponding semanage call, which should be : > semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libXcomp.so.1 > semanage fcontext -a -t textrel_shlib_t /usr/NX/lib/libjpeg.so.62 > > Thanks for your help > > Aur?lien > Tell them to try to fix their libraries so they do not require execmod privs. http://people.redhat.com/drepper/selinux-mem.html Thanks, Dan From gauret at free.fr Fri Apr 14 13:00:05 2006 From: gauret at free.fr (Aurelien Bompard) Date: Fri, 14 Apr 2006 15:00:05 +0200 Subject: Add SELinux protection to Pure-FTPd Message-ID: Hi, I'm trying to add SELinux protection to Pure-FTPd. It's an FTP server, so labelling the binary to ftpd_t did 99% of the job ! Well done SELinux devs ! But this server has additional features, like the possibility to get its user list from MySQL, PostgreSQL or LDAP. So I've written this te file : ========================== module pureftpd 1.0; require { class dir { getattr search }; class file { read write }; class tcp_socket name_connect; class sock_file { getattr read write append ioctl lock }; class unix_stream_socket { read write connectto }; type ftpd_t; type initrc_var_run_t; type mysqld_port_t; type ldap_port_t; }; # Write to /var/run/utmp allow ftpd_t initrc_var_run_t:file { read write }; ### Allow connect to mysql # Network connect corenet_tcp_connect_mysqld_port(ftpd_t) # Socket file connect mysql_stream_connect(ftpd_t); mysql_rw_db_sockets(ftpd_t) ### Allow connect to postgresql # Network connect corenet_tcp_connect_postgresql_port(ftpd_t) # Socket file connect postgresql_stream_connect(ftpd_t) # Allow connect to ldap allow ftpd_t ldap_port_t:tcp_socket name_connect; ========================== I figured that out mainly by reading the policy source (mainly apache's), and with the help of the wiki : http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow explains how to let SpamAssassin connect to LDAP. I have a few questions: - Does this look OK to you ? - Is it better to use the macros ( like mysql_stream_connect(ftpd_t)) or to write the policies explicitely (allow ftpd_t mysqld_port_t:tcp_socket name_connect) ? - The apache policy source used the sysnet_use_ldap macro to let it access LDAP. It looks like it does much more and requires much more than the simple allow tcp_socket name_connect. Yet, this is the one advertised in the wiki. Which solution should I choose ? - I'll build the module in %install and load it in %post. Any preferred place for the .pp file ? /usr/share/pure-ftpd is OK, or would it be better to put it in /usr/share/selinux/targeted ? When this is verified, I'll add it to the wiki page (http://fedoraproject.org/wiki/Packaging/SELinux). Thanks a lot for your help ! Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr For external use only From sds at tycho.nsa.gov Fri Apr 14 13:27:47 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 14 Apr 2006 09:27:47 -0400 Subject: Create new types in modules? In-Reply-To: <443F9B73.8070302@redhat.com> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> <443E4F63.8010306@city-fan.org> <443F9B73.8070302@redhat.com> Message-ID: <1145021268.11164.48.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-14 at 08:54 -0400, Daniel J Walsh wrote: > > Excellent - thanks. > > > > Now why isn't this doing what I expect: > > > > # semanage fcontext -a -t mock_root_t \ > > /usr/share/fsdata/mock/'[^/]*/root(/.*)?' > > # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root > > # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core > > drwxrwsr-x paul mock user_u:object_r:usr_t result > > drwxr-sr-x root mock root:object_r:usr_t root > > drwxrwsr-x paul mock user_u:object_r:usr_t state > > # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root > > restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root > > context root:object_r:usr_t->system_u:object_r:mock_root_t > > # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core > > drwxrwsr-x paul mock user_u:object_r:usr_t result > > drwxr-sr-x root mock system_u:object_r:mock_root_t root > > drwxrwsr-x paul mock user_u:object_r:usr_t state > > > > Why doesn't the directory > > /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type > > mock_root_t in the first place rather than having to do the restorecon > > on it? > > > You need to tell mkdir which context to create it with or write a > transition rule in policy that says when context ABC_t creates files in > directories labeled DEF_T, create them GEH_T. > > You can also look ad mkdir -Z. A bit of explanation: The file contexts configuration is only intended to establish the initial state of the filesystem, for use by programs like rpm and install, based on some external knowledge about the security properties of files and some assumptions about secure creation and distribution of the packages in the first place. For normal file creation at runtime, we don't want to rely on anything path-based at all because that doesn't tell us anything about the real security properties of the object; we want to label the files in accordance with the security properties of their creator, related objects (e.g. parent directory), and the runtime kernel policy (type transition rules). So a directory created by mkdir isn't going to automatically pick up the context defined in file_contexts. The user can force it to that context (if allowed to do so by policy) via mkdir -Z or by running restorecon after the fact, but that does require explicit action by the user, and won't be allowed under some policies. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Apr 14 14:01:58 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 14 Apr 2006 10:01:58 -0400 Subject: Add SELinux protection to Pure-FTPd In-Reply-To: References: Message-ID: <1145023318.17185.12.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-14 at 15:00 +0200, Aurelien Bompard wrote: > module pureftpd 1.0; policy_module(pureftpd, 1.0) is preferred syntax going forward. > require { > class dir { getattr search }; > class file { read write }; > class tcp_socket name_connect; > class sock_file { getattr read write append ioctl lock }; > class unix_stream_socket { read write connectto }; If you use policy_module() macro, you'll get the kernel class and permission requires as part of it, so you won't need to explicitly specify them each time. > type ftpd_t; > type initrc_var_run_t; > type mysqld_port_t; > type ldap_port_t; > }; > > # Write to /var/run/utmp > allow ftpd_t initrc_var_run_t:file { read write }; Does it truly need write access? The library always tries to open rw first, then falls back to read-only if it cannot open rw, so even just reading utmp will show up in avc messages as a rw attempt. Try just allowing read, and dontaudit'ing the write permission. > ### Allow connect to mysql > # Network connect > corenet_tcp_connect_mysqld_port(ftpd_t) > # Socket file connect > mysql_stream_connect(ftpd_t); > mysql_rw_db_sockets(ftpd_t) > > ### Allow connect to postgresql > # Network connect > corenet_tcp_connect_postgresql_port(ftpd_t) > # Socket file connect > postgresql_stream_connect(ftpd_t) > > # Allow connect to ldap > allow ftpd_t ldap_port_t:tcp_socket name_connect; > ========================== > > I figured that out mainly by reading the policy source (mainly apache's), > and with the help of the wiki : > http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow explains > how to let SpamAssassin connect to LDAP. > > I have a few questions: > - Does this look OK to you ? > - Is it better to use the macros ( like mysql_stream_connect(ftpd_t)) or to > write the policies explicitely (allow ftpd_t mysqld_port_t:tcp_socket > name_connect) ? Macros aka interfaces are preferred, as they preserve modularity/encapsulation and thus make your module more portable to other base policies. There are plans to introduce interfaces as direct constructs in the policy language and module format such that these interfaces can be expanded at link-time rather than module build time, which will further improve the portability of your module. > - The apache policy source used the sysnet_use_ldap macro to let it access > LDAP. It looks like it does much more and requires much more than the > simple allow tcp_socket name_connect. Yet, this is the one advertised in > the wiki. Which solution should I choose ? > - I'll build the module in %install and load it in %post. Any preferred > place for the .pp file ? /usr/share/pure-ftpd is OK, or would it be better > to put it in /usr/share/selinux/targeted ? I don't think you want to put it in /usr/share/selinux/targeted (as that could conflict in the future with the policy package), but I would suggest putting it under /usr/share/selinux/ or similar to keep all policy modules under that selinux tree, unless that also presents some kind of conflict problem? > When this is verified, I'll add it to the wiki page > (http://fedoraproject.org/wiki/Packaging/SELinux). > > > Thanks a lot for your help ! > > > Aur?lien -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Apr 14 14:23:58 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 10:23:58 -0400 Subject: FC5: what context should I use for extra ext3 filesystems? In-Reply-To: References: Message-ID: <443FB07E.6030008@redhat.com> Mike Carney wrote: > Greetings, > > I've got a couple of extra filesystems I use for various reasons which > currently have a default_t context. I mount them under a new directory > "/export", which I've set to mnt_t: > > /dev/sda9 on /export/0 type ext3 (rw) > /dev/sdb9 on /export/1 type ext3 (rw) > /dev/sdb10 on /export/2 type ext3 (rw) > > 203# ls -dZ /export /export/* > drwxr-xr-x root root system_u:object_r:mnt_t /export/ > drwxr-xr-x root root system_u:object_r:default_t /export/0/ > drwxr-xr-x root root system_u:object_r:default_t /export/1/ > drwxr-xr-x root root system_u:object_r:default_t /export/2/ > 204# > > Any guidance as to what context should I set these file system mount > points to? mnt_t? usr_t? How do I specify using semanage that I don't > want the relabel to propogate to subdirectories? (e.g., <>). > Depends on what you want to do with them. You can leave them as default_t, if you do not want a confined domain to touch them. If you need some confined domains to touch them you will need to set context appropriately. > Thanks in advance, > > Mike > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Fri Apr 14 14:37:18 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 10:37:18 -0400 Subject: error in today's rawhide update.... In-Reply-To: <4c4ba1530604120751y448b599fqba6462087172248b@mail.gmail.com> References: <4c4ba1530604120708h7ab35fc0q89dc06f499ef056c@mail.gmail.com> <4c4ba1530604120717r3b4b63cesb8b78642f2f982a0@mail.gmail.com> <4c4ba1530604120751y448b599fqba6462087172248b@mail.gmail.com> Message-ID: <443FB39E.2030903@redhat.com> Tom London wrote: > On 4/12/06, Tom London wrote: > >> I did 'setenforce 0', and 'rpm -Uvh selinux-policy-targeted*', and >> this seems to be proceeding without errors. >> >> I'm getting lots of files relabeled (>400), mostly texrel_shlib_t to >> lib_t, for things like /usr/lib/firefox, /usr/lib/mozilla, >> /usr/lib/wine. >> >> This expected? >> > > Hmmm...Suspect relabeling has broken some stuff. Get this when I try > to start firefox: > type=AVC msg=audit(1144853278.073:58): avc: denied { execmod } for > pid=4819 comm="firefox-bin" name="libxpcom_core.so" dev=dm-0 > ino=6114892 scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > type=SYSCALL msg=audit(1144853278.073:58): arch=40000003 syscall=125 > success=yes exit=0 a0=327000 a1=cc000 a2=5 a3=bfc5e610 items=0 > pid=4819 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-1.5.0.1/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 > type=AVC_PATH msg=audit(1144853278.073:58): > path="/usr/lib/firefox-1.5.0.1/libxpcom_core.so" > > I'll reboot in permissive mode and try to capture all the AVCs.... > Yes labeling has been screwed up. SHould be fixed in last nights rawhide. > tom > -- > Tom London > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From gauret at free.fr Fri Apr 14 14:47:24 2006 From: gauret at free.fr (Aurelien Bompard) Date: Fri, 14 Apr 2006 16:47:24 +0200 Subject: Add SELinux protection to Pure-FTPd References: <1145023318.17185.12.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: > policy_module(pureftpd, 1.0) is preferred syntax going forward. > If you use policy_module() macro, you'll get the kernel class and > permission requires as part of it, so you won't need to explicitly > specify them each time. Yay ! Done that. > Does it truly need write access? The library always tries to open rw > first, then falls back to read-only if it cannot open rw, so even just > reading utmp will show up in avc messages as a rw attempt. Try just > allowing read, and dontaudit'ing the write permission. That's right, it only needs read access. I've added: init_read_utmp(ftpd_t) init_dontaudit_write_utmp(ftpd_t) to the module (picked from the policy sources) > Macros aka interfaces are preferred, as they preserve > modularity/encapsulation and thus make your module more portable to > other base policies. OK. I'll use sysnet_use_ldap to allow LDAP access then. > I don't think you want to put it in /usr/share/selinux/targeted (as that > could conflict in the future with the policy package), but I would > suggest putting it under /usr/share/selinux/ or similar to > keep all policy modules under that selinux tree, unless that also > presents some kind of conflict problem? Looks good to me, except I've placed it in /usr/share/selinux/packages/ to avoid the base and targeted dirs being buried under a ton of packages dirs in the future. It's taking shape, but I have another problem. I run semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp in the %post scriptlet to load the module, and I get this error: libsemanage.semanage_commit_sandbox: Could not remove previous backup /etc/selinux/targeted/modules/previous. semodule: Failed! With this AVC in audit.log : type=AVC msg=audit(1145025496.481:18267): avc: denied { rmdir } for pid=28069 comm="semodule" name="modules" dev=sda2 ino=1249868 scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir And the module is not loaded. Calling semodule outside the RPM scriptlet works fine. Any idea ? Should I use another command ? Thanks, Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr L'exp?rience est quelquechose que l'on acquiert juste apr?s en avoir eu besoin. From dwalsh at redhat.com Fri Apr 14 14:48:48 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 10:48:48 -0400 Subject: procmail In-Reply-To: <443BCBFB.2050104@city-fan.org> References: <443BCBFB.2050104@city-fan.org> Message-ID: <443FB650.1040309@redhat.com> Paul Howarth wrote: > I use procmail as my local delivery agent from sendmail. In FC5 this > appears to be running as procmail_t. > > Procmail offers the ability to pipe mail through programs (filters), > and I use this facility from time to time. I'm getting quite a lot of > denials when doing this and wonder what the right approach to fixing > them is. > > > > Case 1: a locally-written shell script called "spamdomain" > > This is in my ~/bin directory and of type user_home_t > > Procmail recipe: > SPAMDOMAIN=`spamdomain` > > Result: > > Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc: > denied { execute } for pid=16622 comm="procmail" name="spamdomain" > dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=file > > Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc: > denied { execute_no_trans } for pid=16622 comm="procmail" > name="spamdomain" dev=dm-1 ino=1399071 > scontext=system_u:system_r:procmail_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=file > > You could relabel it bin_t? chcon -t bin_t ~/bin/spamdomain > > Case 2: piping mail through "sa-learn" > > I run spamass-milter to reject mail in-protocol and then my own local > filter using procmail on anything that gets through. If I'm sure > something's spam, I like spamassassin to learn about it so I might > reject it earlier in future. So I pipe it through sa-learn > (spamd_exec_t): > Shouldn't sa-learn be labeled spamc_exec_t? If you change it to chcon -t spamc_exec_t /usr/bin/sa-learn Does it work? > Procmail recipe: > :0c > | sa-learn --username=paul at city-fan.org --spam >/dev/null 2>&1 > > Result: > > Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.743:8008): avc: > denied { getattr } for pid=16718 comm="bash" name="sa-learn" > dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file > > Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8009): avc: > denied { execute } for pid=16718 comm="bash" name="sa-learn" > dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file > > Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8010): avc: > denied { read } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 > ino=852750 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file > > Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8011): avc: > denied { execute_no_trans } for pid=16719 comm="bash" > name="sa-learn" dev=dm-3 ino=852750 > scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file > > Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.799:8012): avc: > denied { ioctl } for pid=16719 comm="sa-learn" name="sa-learn" > dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file > > The "bash" denials will be due to procmail forking a shell to handle > the redirects. > > > > > What *should* I be doing here to fix this? I know I could just add > local policy to fix the denials, but is there a way to do it that's > supported by existing policy? > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Fri Apr 14 14:51:52 2006 From: selinux at gmail.com (Tom London) Date: Fri, 14 Apr 2006 07:51:52 -0700 Subject: error in today's rawhide update.... In-Reply-To: <443FB39E.2030903@redhat.com> References: <4c4ba1530604120708h7ab35fc0q89dc06f499ef056c@mail.gmail.com> <4c4ba1530604120717r3b4b63cesb8b78642f2f982a0@mail.gmail.com> <4c4ba1530604120751y448b599fqba6462087172248b@mail.gmail.com> <443FB39E.2030903@redhat.com> Message-ID: <4c4ba1530604140751w132ac6b1q2e9236a14108acf3@mail.gmail.com> On 4/14/06, Daniel J Walsh wrote: > Yes labeling has been screwed up. SHould be fixed in last nights rawhide. Yup, seems fixed. tom -- Tom London From dwalsh at redhat.com Fri Apr 14 14:53:13 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 10:53:13 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <443FB759.6090503@redhat.com> Stephen Smalley wrote: > On Thu, 2006-04-13 at 18:35 +0100, Ron Yorston wrote: > >> Stephen Smalley wrote: >> >>> Seems like a policy bug (omission of a transition from unconfined_t to >>> mount_t) to me. Otherwise, /etc/mtab is going to lose its type every >>> time you run mount/umount from the shell. Dan? >>> >> Just a clarification (or confusion): it's only umount that causes the >> problem. mount doesn't create a new /etc/mtab file and doesn't change >> the context: >> >> # ls -Z /etc/mtab >> -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab >> # ls -i /etc/mtab >> 33032 /etc/mtab >> # mount /opt >> # ls -Z /etc/mtab >> -rw-r--r-- root root system_u:object_r:etc_runtime_t /etc/mtab >> # ls -i /etc/mtab >> 33032 /etc/mtab >> # >> > > Ah, ok. strace of mount and umount suggests that mount just > writes/appends to the existing file in place while umount creates a new > file without the entry and then replaces the original file via rename. > Which would explain why mount doesn't disturb the type but umount does. > Regardless, I think it makes sense to have unconfined_t transition to > mount_t. > > Please turn on restorecond chkconfig --add restorecond service restorecond start We are not transitioning to mount_t from unconfined_t because it causes lots of other problems such as mount > ~/mymounts failing etc. This is the type of problems restorecond is designed to fix. From mc-al34luc at sbcglobal.net Fri Apr 14 15:00:45 2006 From: mc-al34luc at sbcglobal.net (Mike Carney) Date: Fri, 14 Apr 2006 08:00:45 -0700 Subject: FC5: what context should I use for extra ext3 filesystems? References: <443FB07E.6030008@redhat.com> Message-ID: Daniel J Walsh wrote: > Mike Carney wrote: >> Greetings, >> >> I've got a couple of extra filesystems I use for various reasons which >> currently have a default_t context. I mount them under a new directory >> "/export", which I've set to mnt_t: >> >> /dev/sda9 on /export/0 type ext3 (rw) >> /dev/sdb9 on /export/1 type ext3 (rw) >> /dev/sdb10 on /export/2 type ext3 (rw) >> >> 203# ls -dZ /export /export/* >> drwxr-xr-x root root system_u:object_r:mnt_t /export/ >> drwxr-xr-x root root system_u:object_r:default_t /export/0/ >> drwxr-xr-x root root system_u:object_r:default_t /export/1/ >> drwxr-xr-x root root system_u:object_r:default_t /export/2/ >> 204# >> >> Any guidance as to what context should I set these file system mount >> points to? mnt_t? usr_t? How do I specify using semanage that I don't >> want the relabel to propogate to subdirectories? (e.g., <>). >> > Depends on what you want to do with them. You can leave them as > default_t, if you do not want a confined domain > to touch them. If you need some confined domains to touch them you will > need to set context appropriately. >> Thanks in advance, Hi Dan, thanks for the response. Right now I simply want to set the contexts for the /export and the mount directories within that directory (/export/{0,1,2}) without having that context propagate to subdirectories simply to make hald happy. Later, when I've learned more about SELinux, I'll make other adjustments. So, some guidance as to what context those directories should be (mnt_t or usr_t) and the proper incantation to get semanage to accept "<>" as the "no relabel" token. Thanks! From sds at tycho.nsa.gov Fri Apr 14 15:11:24 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 14 Apr 2006 11:11:24 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <443FB759.6090503@redhat.com> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> <443FB759.6090503@redhat.com> Message-ID: <1145027484.18244.4.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-14 at 10:53 -0400, Daniel J Walsh wrote: > Please turn on restorecond > > chkconfig --add restorecond > service restorecond start > > We are not transitioning to mount_t from unconfined_t because it causes > lots of other problems such as > > mount > ~/mymounts failing etc. This is the type of problems > restorecond is designed to fix. Hmmm..why not create a user_mount_t domain and transition to it from unconfined_t, and let it write to user home directory types? While leaving mount_t alone. Then you can define a type transition on user_mount_t etc_t:file etc_runtime_t. Relying on restorecond for something that can be easily addressed via a type transition seems wrong. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Apr 14 15:16:40 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 14 Apr 2006 11:16:40 -0400 Subject: Add SELinux protection to Pure-FTPd In-Reply-To: References: <1145023318.17185.12.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1145027800.18244.9.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-14 at 16:47 +0200, Aurelien Bompard wrote: > Looks good to me, except I've placed it > in /usr/share/selinux/packages/ to avoid the base and targeted > dirs being buried under a ton of packages dirs in the future. > > It's taking shape, but I have another problem. I run > semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp > in the %post scriptlet to load the module, and I get this error: > > libsemanage.semanage_commit_sandbox: Could not remove previous > backup /etc/selinux/targeted/modules/previous. > semodule: Failed! > > With this AVC in audit.log : > > type=AVC msg=audit(1145025496.481:18267): avc: denied { rmdir } for > pid=28069 comm="semodule" name="modules" dev=sda2 ino=1249868 > scontext=user_u:system_r:semanage_t:s0 > tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir Looks like the type isn't getting preserved on /etc/selinux/$SELINUXTYPE/modules/{active,previous} upon updates - they are reverting from semanage_store_t to selinux_config_t (the type on their parent directory. We either need to put semanage_store_t on /etc/selinux/$SELINUXTYPE/modules as well or we need to make libsemanage preserve the types. > > And the module is not loaded. > Calling semodule outside the RPM scriptlet works fine. > > Any idea ? Should I use another command ? > > > Thanks, > > Aur?lien -- Stephen Smalley National Security Agency From gauret at free.fr Fri Apr 14 15:22:18 2006 From: gauret at free.fr (Aurelien Bompard) Date: Fri, 14 Apr 2006 17:22:18 +0200 Subject: Add SELinux protection to Pure-FTPd References: <1145023318.17185.12.camel@moss-spartans.epoch.ncsc.mil> <1145027800.18244.9.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: > Looks like the type isn't getting preserved > on /etc/selinux/$SELINUXTYPE/modules/{active,previous} upon updates - > they are reverting from semanage_store_t to selinux_config_t (the type > on their parent directory. We either need to put semanage_store_t > on /etc/selinux/$SELINUXTYPE/modules as well or we need to make > libsemanage preserve the types. OK, so it's something to fix at the main policy level, right (I can't do anything about it) ? # rpm -q selinux-policy-targeted selinux-policy-targeted-2.2.29-3.fc5 Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr "Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things." -- Doug Gwyn From sds at tycho.nsa.gov Fri Apr 14 15:35:24 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 14 Apr 2006 11:35:24 -0400 Subject: Add SELinux protection to Pure-FTPd In-Reply-To: References: <1145023318.17185.12.camel@moss-spartans.epoch.ncsc.mil> <1145027800.18244.9.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1145028924.18244.14.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-14 at 17:22 +0200, Aurelien Bompard wrote: > Stephen Smalley wrote: > > Looks like the type isn't getting preserved > > on /etc/selinux/$SELINUXTYPE/modules/{active,previous} upon updates - > > they are reverting from semanage_store_t to selinux_config_t (the type > > on their parent directory. We either need to put semanage_store_t > > on /etc/selinux/$SELINUXTYPE/modules as well or we need to make > > libsemanage preserve the types. > > OK, so it's something to fix at the main policy level, right (I can't do > anything about it) ? Correct. You can restorecon -R /etc/selinux/targeted to temporarily fix it, but it will keep reverting on each transaction. chcon -t semanage_store_t /etc/selinux/targeted/modules may solve the problem with keeping the type on the active and previous subdirectories, but ultimately needs to be applied in the policy. > > # rpm -q selinux-policy-targeted > selinux-policy-targeted-2.2.29-3.fc5 > > > Aur?lien -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Apr 14 17:25:00 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 13:25:00 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1145027484.18244.4.camel@moss-spartans.epoch.ncsc.mil> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> <443FB759.6090503@redhat.com> <1145027484.18244.4.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <443FDAEC.1060902@redhat.com> Stephen Smalley wrote: > On Fri, 2006-04-14 at 10:53 -0400, Daniel J Walsh wrote: > >> Please turn on restorecond >> >> chkconfig --add restorecond >> service restorecond start >> >> We are not transitioning to mount_t from unconfined_t because it causes >> lots of other problems such as >> >> mount > ~/mymounts failing etc. This is the type of problems >> restorecond is designed to fix. >> > > Hmmm..why not create a user_mount_t domain and transition to it from > unconfined_t, and let it write to user home directory types? While > leaving mount_t alone. Then you can define a type transition on > user_mount_t etc_t:file etc_runtime_t. Relying on restorecond for > something that can be easily addressed via a type transition seems > wrong. > > You can do that but I would suggest you create a unconfined_mount_t and allow it everything unconfined_t can do. Otherwise we end up with people mounting files in random places or outputting mount >> /var/mounts whatever. I think very few userspace tools should transition, because when they do we end up with lots of bug reports. From dwalsh at redhat.com Fri Apr 14 17:26:31 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 13:26:31 -0400 Subject: FC5: what context should I use for extra ext3 filesystems? In-Reply-To: References: <443FB07E.6030008@redhat.com> Message-ID: <443FDB47.8020200@redhat.com> Mike Carney wrote: > Daniel J Walsh wrote: > > >> Mike Carney wrote: >> >>> Greetings, >>> >>> I've got a couple of extra filesystems I use for various reasons which >>> currently have a default_t context. I mount them under a new directory >>> "/export", which I've set to mnt_t: >>> >>> /dev/sda9 on /export/0 type ext3 (rw) >>> /dev/sdb9 on /export/1 type ext3 (rw) >>> /dev/sdb10 on /export/2 type ext3 (rw) >>> >>> 203# ls -dZ /export /export/* >>> drwxr-xr-x root root system_u:object_r:mnt_t /export/ >>> drwxr-xr-x root root system_u:object_r:default_t /export/0/ >>> drwxr-xr-x root root system_u:object_r:default_t /export/1/ >>> drwxr-xr-x root root system_u:object_r:default_t /export/2/ >>> 204# >>> >>> Any guidance as to what context should I set these file system mount >>> points to? mnt_t? usr_t? How do I specify using semanage that I don't >>> want the relabel to propogate to subdirectories? (e.g., <>). >>> >>> >> Depends on what you want to do with them. You can leave them as >> default_t, if you do not want a confined domain >> to touch them. If you need some confined domains to touch them you will >> need to set context appropriately. >> >>> Thanks in advance, >>> > > Hi Dan, thanks for the response. Right now I simply want to set the > contexts for the /export and the mount directories within that directory > (/export/{0,1,2}) without having that context propagate to > subdirectories simply to make hald happy. Later, when I've learned more > about SELinux, I'll make other adjustments. > Ok lets fix hal then. What is it complaining about? > So, some guidance as to what context those directories should be > (mnt_t or usr_t) and the proper incantation to get semanage to accept > "<>" as the "no relabel" token. > > Thanks! > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From cpebenito at tresys.com Fri Apr 14 17:30:09 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 14 Apr 2006 13:30:09 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <443FDAEC.1060902@redhat.com> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> <443FB759.6090503@redhat.com> <1145027484.18244.4.camel@moss-spartans.epoch.ncsc.mil> <443FDAEC.1060902@redhat.com> Message-ID: <1145035810.8881.7.camel@sgc.columbia.tresys.com> On Fri, 2006-04-14 at 13:25 -0400, Daniel J Walsh wrote: > Stephen Smalley wrote: > > On Fri, 2006-04-14 at 10:53 -0400, Daniel J Walsh wrote: > > > >> Please turn on restorecond > >> > >> chkconfig --add restorecond > >> service restorecond start > >> > >> We are not transitioning to mount_t from unconfined_t because it causes > >> lots of other problems such as > >> > >> mount > ~/mymounts failing etc. This is the type of problems > >> restorecond is designed to fix. > >> > > > > Hmmm..why not create a user_mount_t domain and transition to it from > > unconfined_t, and let it write to user home directory types? While > > leaving mount_t alone. Then you can define a type transition on > > user_mount_t etc_t:file etc_runtime_t. Relying on restorecond for > > something that can be easily addressed via a type transition seems > > wrong. > > > > > You can do that but I would suggest you create a unconfined_mount_t and > allow it everything unconfined_t can do. Otherwise we end up with > people mounting files in random places or outputting mount >> > /var/mounts whatever. I think very few userspace tools should > transition, because when they do we end up with lots of bug reports. Alternatively we could just make mount_t unconfined. Without a mount transition, anyone that runs mount will most likely be unconfined already. I don't think that it needs everything that unconfined_t has, since basically the only thing that unconfined_t has over the unconfined macro is some transitions, and mount shouldn't need to transition to any more than it already has. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From cpebenito at tresys.com Fri Apr 14 17:32:19 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 14 Apr 2006 13:32:19 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1145035810.8881.7.camel@sgc.columbia.tresys.com> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> <443FB759.6090503@redhat.com> <1145027484.18244.4.camel@moss-spartans.epoch.ncsc.mil> <443FDAEC.1060902@redhat.com> <1145035810.8881.7.camel@sgc.columbia.tresys.com> Message-ID: <1145035940.8881.9.camel@sgc.columbia.tresys.com> On Fri, 2006-04-14 at 13:30 -0400, Christopher J. PeBenito wrote: > Alternatively we could just make mount_t unconfined. That is, make it unconfined on the targeted policy, of course. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From dwalsh at redhat.com Fri Apr 14 17:39:18 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Apr 2006 13:39:18 -0400 Subject: SELinux enforcing disallows opening floppy drive in Nautilus In-Reply-To: <1145035940.8881.9.camel@sgc.columbia.tresys.com> References: <3400f2f60604111806s62fdd436h7c1f925e4bf7db4d@mail.gmail.com> <200604120839.k3C8d27e011646@tiffany.internal.tigress.co.uk> <3400f2f60604120712t2fb5e3bcjd406b99587d696b3@mail.gmail.com> <1144852360.20422.123.camel@moss-spartans.epoch.ncsc.mil> <200604121833.k3CIXQlA015027@tiffany.internal.tigress.co.uk> <1144867433.1083.9.camel@moss-spartans.epoch.ncsc.mil> <1144867776.1083.11.camel@moss-spartans.epoch.ncsc.mil> <3400f2f60604130825l3d3462c8pd03104a174c67a54@mail.gmail.com> <1144943574.8865.4.camel@moss-spartans.epoch.ncsc.mil> <200604131735.k3DHZGaX017385@tiffany.internal.tigress.co.uk> <1144951252.8865.59.camel@moss-spartans.epoch.ncsc.mil> <443FB759.6090503@redhat.com> <1145027484.18244.4.camel@moss-spartans.epoch.ncsc.mil> <443FDAEC.1060902@redhat.com> <1145035810.8881.7.camel@sgc.columbia.tresys.com> <1145035940.8881.9.camel@sgc.columbia.tresys.com> Message-ID: <443FDE46.50002@redhat.com> Christopher J. PeBenito wrote: > On Fri, 2006-04-14 at 13:30 -0400, Christopher J. PeBenito wrote: > >> Alternatively we could just make mount_t unconfined. >> > > That is, make it unconfined on the targeted policy, of course. > > It should only be unconfined for the transition from unconfined_t though. not if a confined domain runs it. From mc-al34luc at sbcglobal.net Fri Apr 14 17:51:09 2006 From: mc-al34luc at sbcglobal.net (Mike Carney) Date: Fri, 14 Apr 2006 10:51:09 -0700 Subject: FC5: what context should I use for extra ext3 filesystems? References: <443FB07E.6030008@redhat.com> <443FDB47.8020200@redhat.com> Message-ID: Daniel J Walsh wrote: > Ok lets fix hal then. What is it complaining about? 45# audit2why < /tmp/y type=AVC msg=audit(1145036599.405:1110): avc: denied { search } for pid=2452 comm="hald" name="export" dev=sdb2 ino=8161 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. Looks like we need: 47# audit2allow < /tmp/y allow hald_t default_t:dir search; 48# BTW, how does one use semanage to specify that a context not recurse to subdirectories? (e.g. <>). From benjy.grogan at gmail.com Sat Apr 15 02:24:36 2006 From: benjy.grogan at gmail.com (Benjy Grogan) Date: Fri, 14 Apr 2006 22:24:36 -0400 Subject: Confining a Mono Application Using SELinux Message-ID: Hello I'm trying to take a mono app from Extras and confine it using SELinux. At the moment it runs in the security context user_u:system_r:mono_t. I would like to create my own security context and run the mono app in that one. I've followed all the instructions at on 'How can I help write policy?' but it's useless if I don't have a domain for my application. I have read that you need to install the security contexts (as an rpm) before installing the rpm of the mono application. So I'm assuming that work has to be done to create a domain for the mono application, and then the mono application has to be forced to install in this domain. I'm not sure what makes an application run in the mono_t security context to begin with, and how would I go about changing that? Benjy From obligor11-fedora at yahoo.com Sat Apr 15 17:56:46 2006 From: obligor11-fedora at yahoo.com (Joel Gomberg) Date: Sat, 15 Apr 2006 10:56:46 -0700 Subject: Privoxy and Port 8080 Message-ID: <444133DE.2070801@yahoo.com> I originally posted this message to the fedora users list. It was suggested that I might have better luck here. SELinux is blocking privoxy's access to my public library's online catalog: http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus SELinux denies access. With setenforce=0, access is permitted, so I'm sure it's a SELinux issue. After perusing the SELinux FAQ, I issued this command: semanage port -a -p tcp -t http_port_t 8080. The response was that port 8080 was already defined. The denial message is: type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect } for pid=13185 comm="privoxy" dest=8080 scontext=system_u:system_r:privoxy_t:s0 I received a suggestion to issue this command: semanage port -m -p tcp -t privoxy_t 8080 This changed the denial message slightly: type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect } for pid=4137 comm="privoxy" dest=8080 scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket I then issued these commands: [root at alcibiades ~]# setenforce 0 [root at alcibiades ~]# audit2allow -i /var/log/audit/audit.log and received this output [relevant to Privoxy]: allow privoxy_t http_cache_port_t:tcp_socket name_connect; allow privoxy_t self:tcp_socket name_connect; I don't know how to proceed from here. -- Joel From mjs at ces.clemson.edu Sun Apr 16 18:19:13 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Sun, 16 Apr 2006 14:19:13 -0400 (EDT) Subject: Amanda client AVC In-Reply-To: <1144679279.8101.62.camel@moss-spartans.epoch.ncsc.mil> References: <1144325949.6176.40.camel@moss-spartans.epoch.ncsc.mil> <1144679279.8101.62.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Mon, 10 Apr 2006, Stephen Smalley wrote: > On Mon, 2006-04-10 at 10:17 -0400, Matthew Saltzman wrote: >> On Thu, 6 Apr 2006, Stephen Smalley wrote: >> >>> On Wed, 2006-04-05 at 18:42 -0400, Matthew Saltzman wrote: >>>> My amanda clients are seeing the following: >>>> >>>> kernel: audit(1144217150.855:17): avc: denied { name_bind } for >>>> pid=3707 comm="sendbackup" src=697 >>>> scontext=system_u:system_r:amanda_t:s0 >>>> tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket >>>> >>>> And they don't work. >>>> >>>> How to fix, please? TIA. >>> >>> port 697 is listed as uuidgen in /etc/services, so specifically mapping >>> it to an amanda port type and allowing amanda to bind to it seems wrong. >>> If this is just a result of probing for any available low port for NIS, >>> then the allow_ypbind boolean is likely relevant; try enabling it. >> >> That stops the denial messages, but Amanda still isn't working. It fails >> with "too many dumper retry". I'm not getting denials, though, so I >> suppose that must be something else? >> >> (Running nscd doesn't seem to help matters.) > > Try installing the enableaudit.pp policy module, i.e. > semodule -b /usr/share/selinux/targeted/enableaudit.pp > and retrying, then recheck your audit messages for anything relevant > (but note that there may be a lot of irrelevant audit messages enabled > by it). > > That is the equivalent in FC5 to the old 'make enableaudit load' on > policy sources in FC4 and FC3. > Then you revert to the normal policy via > semodule -b /usr/share/selinux/targeted/base.pp Well, I feel silly now. The problem was failure to include ip_conntrack_amanda in /etc/sysconfig/iptables-config. I always seem to forget that. Is there a reason it shouldn't be automated somehow when amanda or amanda-client is installed? The AVC still reports denied (I usually get several, but with different port numbers), but amanda runs anyway. "setsebool allow_ypbind 1" stops the denial messages. BTW, audit2allow for that AVC says "allow amanda_t reserved_port_t:tcp_socket name_bind". I haven't tried that yet, as I wasn't sure whether it or the boolean was the right thing to do, and I wasn't sure exactly what the right command was to accomplish the suggested change. > >> Also, this seems strange as a solution as this network doesn't run NIS. I >> do have all the amanda-related ports open on both server and client. I >> had no problems running amanda under FC4. My server is FC4 and it backs >> itself and an RH7.3 machine up with no problems. Only my FC5 clients have >> issues. > > I agree that allow_ypbind needs to be renamed/generalized. > > -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From selinux at gmail.com Sun Apr 16 23:40:39 2006 From: selinux at gmail.com (Tom London) Date: Sun, 16 Apr 2006 16:40:39 -0700 Subject: label for /var/cache/cups/jobs.cache, /var/cache/cups/remote.cache Message-ID: <4c4ba1530604161640v490579dl99098c1650cb02e6@mail.gmail.com> Running rawhide, targeted enforcing. cupsd produces the following when trying to access jobs.cache and remote.cache in /var/cache/cups. tom type=PATH msg=audit(04/16/2006 09:56:19.228:50) : item=0 name=/var/cache/cups/remote.cache parent=2814387 dev=fd:00 mode=dir,775 ouid=root ogid=lp rdev=00:00 obj=system_u:object_r:var_t:s0 type=CWD msg=audit(04/16/2006 09:56:19.228:50) : cwd=/ type=SYSCALL msg=audit(04/16/2006 09:56:19.228:50) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=bfa652e8 a1=8241 a2=1b6 a3=8241 items=1 pid=2245 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c255 type=AVC msg=audit(04/16/2006 09:56:19.228:50) : avc: denied { write } for pid=2245 comm=cupsd name=remote.cache dev=dm-0 ino=2814393 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:var_t:s0 tclass=file ---- type=PATH msg=audit(04/16/2006 09:56:19.228:51) : item=0 name=/var/cache/cups/job.cache parent=2814387 dev=fd:00 mode=dir,775 ouid=root ogid=lp rdev=00:00 obj=system_u:object_r:var_t:s0 type=CWD msg=audit(04/16/2006 09:56:19.228:51) : cwd=/ type=SYSCALL msg=audit(04/16/2006 09:56:19.228:51) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=bfa652e8 a1=8241 a2=1b6 a3=8241 items=1 pid=2245 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c255 type=AVC msg=audit(04/16/2006 09:56:19.228:51) : avc: denied { write } for pid=2245 comm=cupsd name=job.cache dev=dm-0 ino=2814394 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:var_t:s0 tclass=file -- Tom London From dwalsh at redhat.com Mon Apr 17 10:43:23 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Apr 2006 06:43:23 -0400 Subject: Privoxy and Port 8080 In-Reply-To: <444133DE.2070801@yahoo.com> References: <444133DE.2070801@yahoo.com> Message-ID: <4443714B.1030000@redhat.com> Joel Gomberg wrote: > I originally posted this message to the fedora users list. It was > suggested that I might have better luck here. > > SELinux is blocking privoxy's access to my public library's online > catalog: > > http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus > > SELinux denies access. With setenforce=0, access is permitted, so I'm > sure it's a SELinux issue. After perusing the SELinux FAQ, I issued > this command: > > semanage port -a -p tcp -t http_port_t 8080. > > The response was that port 8080 was already defined. > > The denial message is: > > type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect } > for pid=13185 comm="privoxy" dest=8080 > scontext=system_u:system_r:privoxy_t:s0 > > I received a suggestion to issue this command: > > semanage port -m -p tcp -t privoxy_t 8080 > > This changed the denial message slightly: > > type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect } > for pid=4137 comm="privoxy" dest=8080 > scontext=system_u:system_r:privoxy_t:s0 > tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket > > I then issued these commands: > > [root at alcibiades ~]# setenforce 0 > [root at alcibiades ~]# audit2allow -i /var/log/audit/audit.log > > and received this output [relevant to Privoxy]: > > allow privoxy_t http_cache_port_t:tcp_socket name_connect; > allow privoxy_t self:tcp_socket name_connect; > > I don't know how to proceed from here. Try audit2allow -M privoxy -i /var/log/audit/audit.log semodule -i privoxy.pp This will greate a modular policy that will add these rules to your machine. I will change policy to allow privoxy to connect to port 8080 > > -- > Joel > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Apr 17 10:50:33 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Apr 2006 06:50:33 -0400 Subject: label for /var/cache/cups/jobs.cache, /var/cache/cups/remote.cache In-Reply-To: <4c4ba1530604161640v490579dl99098c1650cb02e6@mail.gmail.com> References: <4c4ba1530604161640v490579dl99098c1650cb02e6@mail.gmail.com> Message-ID: <444372F9.6050905@redhat.com> Tom London wrote: > Running rawhide, targeted enforcing. > > cupsd produces the following when trying to access jobs.cache and > remote.cache in /var/cache/cups. > > tom > > type=PATH msg=audit(04/16/2006 09:56:19.228:50) : item=0 > name=/var/cache/cups/remote.cache parent=2814387 dev=fd:00 > mode=dir,775 ouid=root ogid=lp rdev=00:00 > obj=system_u:object_r:var_t:s0 > type=CWD msg=audit(04/16/2006 09:56:19.228:50) : cwd=/ > type=SYSCALL msg=audit(04/16/2006 09:56:19.228:50) : arch=i386 > syscall=open success=no exit=-13(Permission denied) a0=bfa652e8 > a1=8241 a2=1b6 a3=8241 items=1 pid=2245 auid=unknown(4294967295) > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > fsgid=root tty=(none) comm=cupsd exe=/usr/sbin/cupsd > subj=system_u:system_r:cupsd_t:s0-s0:c0.c255 > type=AVC msg=audit(04/16/2006 09:56:19.228:50) : avc: denied { write > } for pid=2245 comm=cupsd name=remote.cache dev=dm-0 ino=2814393 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 > tcontext=system_u:object_r:var_t:s0 tclass=file > ---- > type=PATH msg=audit(04/16/2006 09:56:19.228:51) : item=0 > name=/var/cache/cups/job.cache parent=2814387 dev=fd:00 mode=dir,775 > ouid=root ogid=lp rdev=00:00 obj=system_u:object_r:var_t:s0 > type=CWD msg=audit(04/16/2006 09:56:19.228:51) : cwd=/ > type=SYSCALL msg=audit(04/16/2006 09:56:19.228:51) : arch=i386 > syscall=open success=no exit=-13(Permission denied) a0=bfa652e8 > a1=8241 a2=1b6 a3=8241 items=1 pid=2245 auid=unknown(4294967295) > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > fsgid=root tty=(none) comm=cupsd exe=/usr/sbin/cupsd > subj=system_u:system_r:cupsd_t:s0-s0:c0.c255 > type=AVC msg=audit(04/16/2006 09:56:19.228:51) : avc: denied { write > } for pid=2245 comm=cupsd name=job.cache dev=dm-0 ino=2814394 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 > tcontext=system_u:object_r:var_t:s0 tclass=file > Need the following line added to fc file. /var/cache/cups(/.*)? -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) This looks ok on my machine, so this would only be a problem after a relabel. Will add line to policy. > > -- > Tom London > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Mon Apr 17 11:21:07 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Apr 2006 07:21:07 -0400 Subject: Confining a Mono Application Using SELinux In-Reply-To: References: Message-ID: <44437A23.6010802@redhat.com> Benjy Grogan wrote: > Hello > > I'm trying to take a mono app from Extras and confine it using > SELinux. At the moment it runs in the security context > user_u:system_r:mono_t. I would like to create my own security > context and run the mono app in that one. > > I've followed all the instructions at > on 'How can I help > write policy?' but it's useless if I don't have a domain for my > application. > > I have read that you need to install the security contexts (as an rpm) > before installing the rpm of the mono application. So I'm assuming > that work has to be done to create a domain for the mono application, > and then the mono application has to be forced to install in this > domain. > You do this by create a file_type domain like myapp_exec_t and then assiging that context to the executable. Try using /usr/share/selinux/devel/policygentool to get started. /usr/share/selinux/devel/policygentool myapp pathtomyapp and then answer a few questions. It will help you on your way to writing a policy module. Dan > I'm not sure what makes an application run in the mono_t security > context to begin with, and how would I go about changing that? > > The mono executable is labeled mono_exec_t. So all mono apps will get that context. mono_t is the same as uncofined_t except it does not complain about execstack and execmem. > Benjy > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at tycho.nsa.gov Mon Apr 17 13:37:24 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Apr 2006 09:37:24 -0400 Subject: Mount & SELinux problems, session saving in GNOME In-Reply-To: <44429F5D.4070906@ruja.ee> References: <44429F5D.4070906@ruja.ee> Message-ID: <1145281044.8542.46.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2006-04-16 at 22:47 +0300, Lauri wrote: > Hi! > > With SELinux enabled, the system won't mount ReiserFS partitions, > SELinux will deny it: > > Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: found reiserfs > format "3.6" with standard journal > Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: using ordered data mode > Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: journal params: > device hdb1, size 8192, journal first block 18, max trans len 1024, max > batch 900, max commit age 30, max trans age 30 > Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: checking > transaction log (hdb1) > Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: Using r5 hash to > sort names > Apr 15 14:19:38 localhost kernel: audit(1145099700.155:2): avc: > denied { search } for pid=1278 comm="mount" name="/" dev=hdb1 ino=2 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir > Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: warning: > xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. > > and mount will output: > > mount: Operation not supported Added fedora-selinux-list to the cc line. SELinux and the reiserfs xattr implementation (xattrs stored as regular files) don't get along presently. There are a couple of problems, one related to mount-time initialization (as above) since reiserfs ends up trying to search the root directory for the xattr root before SELinux has a chance to set up its security label incore, and one related to atomic labeling of new inodes. If you are using reiserfs for your primary filesystems (e.g. /, /usr, ...), then you likely just have to disable SELinux. If you are only using it for e.g. /home or other kinds of data repositories that can be handled at a single security label (with some loss in granularity of control), you may be able to get by via a local policy module and a context mount, details below. You can workaround the above specific denial by creating a policy module, ala: $ mkdir reiser $ cd reiser $ vi reiser.te i(nsert) # Declare the policy module, with a name and version. policy_module(reiser, 1.0) # Tell the module infrastructure what we need from the base policy # or other previously inserted modules. require { # Need these two types to already be defined. type mount_t; type unlabeled_t; }; # Define the content of the actual policy module. # In this case, just a single allow rule. allow mount_t unlabeled_t:dir search; :wq $ make -f /usr/share/selinux/devel/Makefile $ su # /usr/sbin/semodule -i reiser.pp This will add the permission required to search the root directory for the xattr subtree. (audit2allow also can be used to generate such modules, via the -M option). Then, you likely want to do a context mount to force all files in the reiserfs filesystem to a single label, because reiserfs doesn't support proper labeling of new inodes yet. Ala: # mount -o context=system_u:object_r:default_t:s0 But replacing default_t with some type appropriate to the data stored there. If that works, then you'll want to add the context= option to your fstab file for future mounting. > SELinux also denys loading of some *.so files, for example a script of > XChat, I used following code to correct it: > > chcon -t texrel_shlib_t /usr/lib/xhat/*.so > > But this gets reset after reboot. It shouldn't be reset upon reboot unless a relabel occurred. Is /usr/lib on a reiserfs filesystem? If so, that is the problem. If not, then you can make the above change permanent across relabels/policy updates via semanage, e.g. # /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/xhat/.*\.so(\.[^/]*)* Then a /sbin/restorecon -Rv /usr/lib/xhat shouldn't disturb those settings. > During shutdown, umount will fail if the name of the CD contains a > whitespace. Something like this is used (from /etc/mtab): > > /media/Led\040Zeppelin > > > When logging out, saving a session isn't offered as it was in FC4, so, > in order to save the session, I have to switch on automatic saving, log > out and then switch it off again. > > > Running on FC5, kernel 2.6.16-1.2080_FC5 or > 2.6.16-1.2080_2.rhfc5.cubbi_suspend2 (does it make any difference?). -- Stephen Smalley National Security Agency From lauri at ruja.ee Mon Apr 17 15:58:06 2006 From: lauri at ruja.ee (Lauri) Date: Mon, 17 Apr 2006 18:58:06 +0300 Subject: Mount & SELinux problems, session saving in GNOME In-Reply-To: <1145281044.8542.46.camel@moss-spartans.epoch.ncsc.mil> References: <44429F5D.4070906@ruja.ee> <1145281044.8542.46.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4443BB0E.9040300@ruja.ee> > On Sun, 2006-04-16 at 22:47 +0300, Lauri wrote: >> Hi! >> >> With SELinux enabled, the system won't mount ReiserFS partitions, >> SELinux will deny it: >> >> Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: found reiserfs >> format "3.6" with standard journal >> Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: using ordered data mode >> Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: journal params: >> device hdb1, size 8192, journal first block 18, max trans len 1024, max >> batch 900, max commit age 30, max trans age 30 >> Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: checking >> transaction log (hdb1) >> Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: Using r5 hash to >> sort names >> Apr 15 14:19:38 localhost kernel: audit(1145099700.155:2): avc: >> denied { search } for pid=1278 comm="mount" name="/" dev=hdb1 ino=2 >> scontext=system_u:system_r:mount_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir >> Apr 15 14:19:38 localhost kernel: ReiserFS: hdb1: warning: >> xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. >> >> and mount will output: >> >> mount: Operation not supported > > Added fedora-selinux-list to the cc line. > SELinux and the reiserfs xattr implementation (xattrs stored as regular > files) don't get along presently. There are a couple of problems, one > related to mount-time initialization (as above) since reiserfs ends up > trying to search the root directory for the xattr root before SELinux > has a chance to set up its security label incore, and one related to > atomic labeling of new inodes. If you are using reiserfs for your > primary filesystems (e.g. /, /usr, ...), then you likely just have to > disable SELinux. If you are only using it for e.g. /home or other kinds > of data repositories that can be handled at a single security label > (with some loss in granularity of control), you may be able to get by > via a local policy module and a context mount, details below. > > You can workaround the above specific denial by creating a policy > module, ala: > $ mkdir reiser > $ cd reiser > $ vi reiser.te > i(nsert) > # Declare the policy module, with a name and version. > policy_module(reiser, 1.0) > > # Tell the module infrastructure what we need from the base policy > # or other previously inserted modules. > require { > # Need these two types to already be defined. > type mount_t; > type unlabeled_t; > }; > > # Define the content of the actual policy module. > # In this case, just a single allow rule. > allow mount_t unlabeled_t:dir search; > :wq > $ make -f /usr/share/selinux/devel/Makefile > $ su > # /usr/sbin/semodule -i reiser.pp > > This will add the permission required to search the root directory for > the xattr subtree. (audit2allow also can be used to generate such > modules, via the -M option). > > Then, you likely want to do a context mount to force all files in the > reiserfs filesystem to a single label, because reiserfs doesn't support > proper labeling of new inodes yet. Ala: > # mount -o context=system_u:object_r:default_t:s0 > > But replacing default_t with some type appropriate to the data stored > there. If that works, then you'll want to add the context= option to > your fstab file for future mounting. To try that I enabled SELinux again. It relabelled the system and now gives new error: Apr 17 18:33:08 localhost kernel: [drm] Loading R200 Microcode Apr 17 18:33:10 localhost kernel: audit(1145287990.371:10): avc: denied { execmod } for pid=3964 comm="metacity" name="libGL.so.1.2" dev=hda5 ino=1235892 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file As I understand, it tries to load some files from /usr/lib/ati-fglrx. GNOME fails to start. I'm using ext3 for / and reiserfs for some additional partitions (/data1, /data2). Lauri > >> SELinux also denys loading of some *.so files, for example a script of >> XChat, I used following code to correct it: >> >> chcon -t texrel_shlib_t /usr/lib/xhat/*.so >> >> But this gets reset after reboot. > > It shouldn't be reset upon reboot unless a relabel occurred. > Is /usr/lib on a reiserfs filesystem? If so, that is the problem. > If not, then you can make the above change permanent across > relabels/policy updates via semanage, e.g. > # /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/xhat/.*\.so(\.[^/]*)* > > Then a /sbin/restorecon -Rv /usr/lib/xhat shouldn't disturb those > settings. > >> During shutdown, umount will fail if the name of the CD contains a >> whitespace. Something like this is used (from /etc/mtab): >> >> /media/Led\040Zeppelin >> >> >> When logging out, saving a session isn't offered as it was in FC4, so, >> in order to save the session, I have to switch on automatic saving, log >> out and then switch it off again. >> >> >> Running on FC5, kernel 2.6.16-1.2080_FC5 or >> 2.6.16-1.2080_2.rhfc5.cubbi_suspend2 (does it make any difference?). > From sds at tycho.nsa.gov Mon Apr 17 16:12:53 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Apr 2006 12:12:53 -0400 Subject: Mount & SELinux problems, session saving in GNOME In-Reply-To: <4443BB0E.9040300@ruja.ee> References: <44429F5D.4070906@ruja.ee> <1145281044.8542.46.camel@moss-spartans.epoch.ncsc.mil> <4443BB0E.9040300@ruja.ee> Message-ID: <1145290373.8542.144.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-17 at 18:58 +0300, Lauri wrote: > To try that I enabled SELinux again. It relabelled the system and now > gives new error: > > Apr 17 18:33:08 localhost kernel: [drm] Loading R200 Microcode > Apr 17 18:33:10 localhost kernel: audit(1145287990.371:10): avc: > denied { execmod } for pid=3964 comm="metacity" name="libGL.so.1.2" > dev=hda5 ino=1235892 scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file Hmmm...and /usr/lib is on your ext3 filesystem? # /sbin/restorecon -v /usr/lib/libGL.so.1.2 That should be textrel_shlib_t. Looks ok on an up-to-date FC5 system here. > As I understand, it tries to load some files from /usr/lib/ati-fglrx. > GNOME fails to start. > > I'm using ext3 for / and reiserfs for some additional partitions > (/data1, /data2). In that case, the local policy module + context mount option should enable you to access the reiserfs partitions sufficiently. -- Stephen Smalley National Security Agency From lauri at ruja.ee Mon Apr 17 16:58:28 2006 From: lauri at ruja.ee (Lauri) Date: Mon, 17 Apr 2006 19:58:28 +0300 Subject: Mount & SELinux problems, session saving in GNOME In-Reply-To: <1145290373.8542.144.camel@moss-spartans.epoch.ncsc.mil> References: <44429F5D.4070906@ruja.ee> <1145281044.8542.46.camel@moss-spartans.epoch.ncsc.mil> <4443BB0E.9040300@ruja.ee> <1145290373.8542.144.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4443C934.8010108@ruja.ee> > On Mon, 2006-04-17 at 18:58 +0300, Lauri wrote: >> To try that I enabled SELinux again. It relabelled the system and now >> gives new error: >> >> Apr 17 18:33:08 localhost kernel: [drm] Loading R200 Microcode >> Apr 17 18:33:10 localhost kernel: audit(1145287990.371:10): avc: >> denied { execmod } for pid=3964 comm="metacity" name="libGL.so.1.2" >> dev=hda5 ino=1235892 scontext=user_u:system_r:unconfined_t:s0 >> tcontext=system_u:object_r:lib_t:s0 tclass=file > > Hmmm...and /usr/lib is on your ext3 filesystem? > # /sbin/restorecon -v /usr/lib/libGL.so.1.2 > > That should be textrel_shlib_t. Looks ok on an up-to-date FC5 system > here. > I tried that, but it didn't work. I'll just disable SELinux then and try again some other time. :) As a home user, I don't really think I need it... Or do I? Lauri >> As I understand, it tries to load some files from /usr/lib/ati-fglrx. >> GNOME fails to start. >> >> I'm using ext3 for / and reiserfs for some additional partitions >> (/data1, /data2). > > In that case, the local policy module + context mount option should > enable you to access the reiserfs partitions sufficiently. > From sds at tycho.nsa.gov Mon Apr 17 17:14:46 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Apr 2006 13:14:46 -0400 Subject: Mount & SELinux problems, session saving in GNOME In-Reply-To: <4443C934.8010108@ruja.ee> References: <44429F5D.4070906@ruja.ee> <1145281044.8542.46.camel@moss-spartans.epoch.ncsc.mil> <4443BB0E.9040300@ruja.ee> <1145290373.8542.144.camel@moss-spartans.epoch.ncsc.mil> <4443C934.8010108@ruja.ee> Message-ID: <1145294086.8542.203.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-04-17 at 19:58 +0300, Lauri wrote: > > On Mon, 2006-04-17 at 18:58 +0300, Lauri wrote: > >> To try that I enabled SELinux again. It relabelled the system and now > >> gives new error: > >> > >> Apr 17 18:33:08 localhost kernel: [drm] Loading R200 Microcode > >> Apr 17 18:33:10 localhost kernel: audit(1145287990.371:10): avc: > >> denied { execmod } for pid=3964 comm="metacity" name="libGL.so.1.2" > >> dev=hda5 ino=1235892 scontext=user_u:system_r:unconfined_t:s0 > >> tcontext=system_u:object_r:lib_t:s0 tclass=file > > > > Hmmm...and /usr/lib is on your ext3 filesystem? > > # /sbin/restorecon -v /usr/lib/libGL.so.1.2 > > > > That should be textrel_shlib_t. Looks ok on an up-to-date FC5 system > > here. > > > > I tried that, but it didn't work. I'll just disable SELinux then and try > again some other time. :) As a home user, I don't really think I need > it... Or do I? If you don't mind, bugzilla the issue first with as much detail as possible, so that someone can at least try to investigate it further. Whether or not you "need" it is a matter of (often fiery) debate, and naturally your call to make. Motivation for having a mandatory access control (MAC) mechanism in the OS is discussed in the paper available from the link below. http://www.nsa.gov/selinux/papers/inevit-abs.cfm It isn't a panacea or silver bullet for security, but it is a basic building block necessary for building higher level security guarantees and countering the threat posed by flawed and malicious applications. Whether or not SELinux will help you with your specific needs at this time is another question; it depends on your situation. The other potential motivation for enabling it and working through issues is to help the community with improving it for the long term overall benefit of everyone, but you have to weigh the cost/benefit tradeoffs there, naturally. Reporting the bug is at least a step in contributing there. -- Stephen Smalley National Security Agency From obligor11-fedora at yahoo.com Mon Apr 17 17:13:44 2006 From: obligor11-fedora at yahoo.com (Joel Gomberg) Date: Mon, 17 Apr 2006 10:13:44 -0700 Subject: Privoxy and Port 8080 In-Reply-To: <4443714B.1030000@redhat.com> References: <444133DE.2070801@yahoo.com> <4443714B.1030000@redhat.com> Message-ID: <4443CCC8.8030005@yahoo.com> Daniel J Walsh wrote: > Joel Gomberg wrote: >> I originally posted this message to the fedora users list. It was >> suggested that I might have better luck here. >> >> SELinux is blocking privoxy's access to my public library's online >> catalog: >> >> http://oaklandlibrary.org:8080/ipac20/ipac.jsp?profile=#focus >> >> SELinux denies access. With setenforce=0, access is permitted, so I'm >> sure it's a SELinux issue. After perusing the SELinux FAQ, I issued >> this command: >> >> semanage port -a -p tcp -t http_port_t 8080. >> >> The response was that port 8080 was already defined. >> >> The denial message is: >> >> type=AVC msg=audit(1145058006.474:1026): avc: denied { name_connect } >> for pid=13185 comm="privoxy" dest=8080 >> scontext=system_u:system_r:privoxy_t:s0 >> >> I received a suggestion to issue this command: >> >> semanage port -m -p tcp -t privoxy_t 8080 >> >> This changed the denial message slightly: >> >> type=AVC msg=audit(1145112509.543:104): avc: denied { name_connect } >> for pid=4137 comm="privoxy" dest=8080 >> scontext=system_u:system_r:privoxy_t:s0 >> tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket >> >> I then issued these commands: >> >> [root at alcibiades ~]# setenforce 0 >> [root at alcibiades ~]# audit2allow -i /var/log/audit/audit.log >> >> and received this output [relevant to Privoxy]: >> >> allow privoxy_t http_cache_port_t:tcp_socket name_connect; >> allow privoxy_t self:tcp_socket name_connect; >> >> I don't know how to proceed from here. > Try > > audit2allow -M privoxy -i /var/log/audit/audit.log > semodule -i privoxy.pp > > This will greate a modular policy that will add these rules to your > machine. > > I will change policy to allow privoxy to connect to port 8080 Apparently, it was a bit more complex than that: audit2allow -M privoxy -i /var/log/audit/audit.log Generating type enforcment file: privoxy.te Compiling policy checkmodule -M -m -o privoxy.mod privoxy.te semodule_package -o privoxy.pp -m privoxy.mod ******************** IMPORTANT *********************** In order to load this newly created policy package into the kernel, you are required to execute semodule -i privoxy.pp [root at alcibiades ~]# semodule -i privoxy.pp The denial messages were different, but still no cigar: type=AVC msg=audit(1145284191.527:141): avc: denied { recv_msg } for saddr=209.233.191.3 src=8080 daddr=192.168.0.5 dest=37465 netif=eth1 scontext=system_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:privoxy_t:s0 tclass=tcp_socket I then repeated the audit2allow and semodule commands and this time it works. HOWEVER, after I posted the initial message, I realized that all I had to do was bypass Privoxy for the library's domain in my browser settings. So perhaps it isn't really necessary to mess with the policy. -- Joel From Valdis.Kletnieks at vt.edu Mon Apr 17 17:22:00 2006 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Mon, 17 Apr 2006 13:22:00 -0400 Subject: Mount & SELinux problems, session saving in GNOME In-Reply-To: Your message of "Mon, 17 Apr 2006 19:58:28 +0300." <4443C934.8010108@ruja.ee> References: <44429F5D.4070906@ruja.ee> <1145281044.8542.46.camel@moss-spartans.epoch.ncsc.mil> <4443BB0E.9040300@ruja.ee> <1145290373.8542.144.camel@moss-spartans.epoch.ncsc.mil> <4443C934.8010108@ruja.ee> Message-ID: <200604171722.k3HHM0xp005543@turing-police.cc.vt.edu> On Mon, 17 Apr 2006 19:58:28 +0300, Lauri said: > > On Mon, 2006-04-17 at 18:58 +0300, Lauri wrote: > >> To try that I enabled SELinux again. It relabelled the system and now > >> gives new error: > >> > >> Apr 17 18:33:08 localhost kernel: [drm] Loading R200 Microcode > >> Apr 17 18:33:10 localhost kernel: audit(1145287990.371:10): avc: > >> denied { execmod } for pid=3964 comm="metacity" name="libGL.so.1.2" > >> dev=hda5 ino=1235892 scontext=user_u:system_r:unconfined_t:s0 > >> tcontext=system_u:object_r:lib_t:s0 tclass=file > > > > Hmmm...and /usr/lib is on your ext3 filesystem? > > # /sbin/restorecon -v /usr/lib/libGL.so.1.2 > > > > That should be textrel_shlib_t. Looks ok on an up-to-date FC5 system > > here. > > > > I tried that, but it didn't work. I'll just disable SELinux then and try > again some other time. :) As a home user, I don't really think I need > it... Or do I? This has the distinct aroma of an NVidia binary driver - installing that will replace your libGL.so, and I'm not very confident at the installer's ability to set textrel_shlib_t when needed, given that the flipping thing needs to be run with enforcing=0 to even *work*. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available URL: From michael.chester at etsl.co.nz Mon Apr 17 22:47:30 2006 From: michael.chester at etsl.co.nz (Michael Chester) Date: Tue, 18 Apr 2006 10:47:30 +1200 Subject: httpd and newly mounted file systems Message-ID: <947D3D2083E1684CA55CD82A7692147601746EBA@akexg01.internal.etsl.co.nz> Hi all, I've recently added a new filesystem on a new disk to our system and would like to RTM to understand how to get httpd to be able to access it. I have been unable to locate suitable documentation on how to do this. Currently I just get a message telling me that httpd is unable to list '/'. If someone could point me at a piece of doco or an earlier thread on the topic of how to do this I would really appreciate it. Thanks in advance. Regards, Michael C This electronic message together with any attachments is confidential, and may be privileged. It is intended solely for the addressee. If you are not the intended recipient do not copy, disclose, or use the contents in any way and please notify us by return e-mail immediately, then destroy the message. ETSL is not responsible for any changes made to this message and/or any attachments after sending by ETSL. From notting at redhat.com Tue Apr 18 14:08:12 2006 From: notting at redhat.com (Bill Nottingham) Date: Tue, 18 Apr 2006 10:08:12 -0400 Subject: problems with tmpfs and relabeling Message-ID: <20060418140812.GA29333@devserv.devel.redhat.com> I'm currently working with the stateless code, which mounts the root filesystem read-only, moving various things that need to be read-write to tmpfs bind-mounted in the appropriate location. This initially runs afoul of policy, and I need to write my own policy that allows you to mount on top of /etc/resolv.conf (standard targeted policy doesn't like that for some reason. :) ) However, relabeling the files then fails - for each type that I'm putting on tmpfs, I need to add: allow tmpfs_t:filesystem associate; before relabelling works. This seems strange - is this something that should be fixed in the stock policy, or should I just carry this in my own module? Bill From sds at tycho.nsa.gov Tue Apr 18 17:03:40 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 18 Apr 2006 13:03:40 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060418140812.GA29333@devserv.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> Message-ID: <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-04-18 at 10:08 -0400, Bill Nottingham wrote: > I'm currently working with the stateless code, which mounts the root > filesystem read-only, moving various things that need to be read-write > to tmpfs bind-mounted in the appropriate location. > > This initially runs afoul of policy, and I need to write my own > policy that allows you to mount on top of /etc/resolv.conf (standard > targeted policy doesn't like that for some reason. :) ) > > However, relabeling the files then fails - for each type that I'm > putting on tmpfs, I need to add: > > allow tmpfs_t:filesystem associate; > > before relabelling works. > > This seems strange - is this something that should be fixed in > the stock policy, or should I just carry this in my own module? One option is to use a fscontext= mount option to change the security context associated with the filesystem/superblock object to match your usage, e.g. making it fs_t like a conventional filesystem rather than tmpfs_t. e.g. mount -o fscontext=system_u:object_r:fs_t:s0 ... The other option is to allow the associations as you suggest above, but then this would affect all tmpfs filesystems. The associate check is intended to allow the policy writer to enforce a separation of data between filesystems, so that certain kinds of data can only exist in certain filesystems. However, it isn't truly being applied to achieve a security goal in the example policy at present. As an example, you might want to prevent entrypoint executable types from ever existing in /tmp. Effectively applying such restrictions would typically require both proper use of the associate check and use of fscontext= mounts to individually assign filesystem contexts to particular filesystems. -- Stephen Smalley National Security Agency From paul at city-fan.org Tue Apr 18 17:26:02 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 18 Apr 2006 18:26:02 +0100 Subject: procmail In-Reply-To: <443FB650.1040309@redhat.com> References: <443BCBFB.2050104@city-fan.org> <443FB650.1040309@redhat.com> Message-ID: <4445212A.2060708@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> I use procmail as my local delivery agent from sendmail. In FC5 this >> appears to be running as procmail_t. >> >> Procmail offers the ability to pipe mail through programs (filters), >> and I use this facility from time to time. I'm getting quite a lot of >> denials when doing this and wonder what the right approach to fixing >> them is. >> >> >> >> Case 1: a locally-written shell script called "spamdomain" >> >> This is in my ~/bin directory and of type user_home_t >> >> Procmail recipe: >> SPAMDOMAIN=`spamdomain` >> >> Result: >> >> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc: >> denied { execute } for pid=16622 comm="procmail" name="spamdomain" >> dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=file >> >> Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc: >> denied { execute_no_trans } for pid=16622 comm="procmail" >> name="spamdomain" dev=dm-1 ino=1399071 >> scontext=system_u:system_r:procmail_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=file >> >> > You could relabel it bin_t? > > chcon -t bin_t ~/bin/spamdomain That seems to have worked nicely. >> Case 2: piping mail through "sa-learn" >> >> I run spamass-milter to reject mail in-protocol and then my own local >> filter using procmail on anything that gets through. If I'm sure >> something's spam, I like spamassassin to learn about it so I might >> reject it earlier in future. So I pipe it through sa-learn >> (spamd_exec_t): >> > Shouldn't sa-learn be labeled spamc_exec_t? > > If you change it to > > chcon -t spamc_exec_t /usr/bin/sa-learn > > Does it work? That's looking OK so far too. Next issue. One of the actions a procmail recipe can have is to forward mail somewhere else. It uses sendmail to do this. Running sendmail from procmail doesn't seem to involve a domain transition, so I get: Try to read alternatives link for sendmail: Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc: denied { read } for pid=4316 comm="procmail" name="sendmail" dev=dm-3 ino=131309 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file Try to run sendmail: Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc: denied { execute } for pid=4316 comm="procmail" name="sendmail.sendmail" dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc: denied { execute_no_trans } for pid=4316 comm="procmail" name="sendmail.sendmail" dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc: denied { read } for pid=4316 comm="procmail" name="sendmail.sendmail" dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Sendmail running in procmail_t instead of sendmail_t: Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12696): avc: denied { search } for pid=4316 comm="sendmail" name="clientmqueue" dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.548:12697): avc: denied { getattr } for pid=4316 comm="sendmail" name="clientmqueue" dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12698): avc: denied { write } for pid=4316 comm="sendmail" name="clientmqueue" dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12699): avc: denied { add_name } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316" scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.588:12700): avc: denied { create } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316" scontext=user_u:system_r:procmail_t:s0 tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.592:12701): avc: denied { lock } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316" dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0 tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.628:12702): avc: denied { name_connect } for pid=4316 comm="sendmail" dest=587 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12703): avc: denied { remove_name } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316" dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12704): avc: denied { unlink } for pid=4316 comm="sendmail" name="dfk3IHAC7p004316" dev=dm-4 ino=1149154 scontext=user_u:system_r:procmail_t:s0 tcontext=user_u:object_r:mqueue_spool_t:s0 tclass=file Apr 18 18:10:13 goalkeeper kernel: audit(1145380213.008:12705): avc: denied { read } for pid=4316 comm="sendmail" name="clientmqueue" dev=dm-4 ino=1146892 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir And finally for today, I have in /etc/procmailrc the following line: LOGFILE=/var/log/procmail.log For any account that doesn't override LOGFILE in a per-account .procmailrc, this causes procmail to log message delivery in /var/log/procmail.log. The policy appears to support logging via syslog (something I can't find how to configure), but not to files. Is that right? Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.930:12668): avc: denied { search } for pid=2774 comm="procmail" name="log" dev=dm-4 ino=851969 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir Apr 18 17:05:51 goalkeeper kernel: audit(1145376351.966:12669): avc: denied { append } for pid=2774 comm="procmail" name="procmail.log" dev=dm-4 ino=852014 scontext=user_u:system_r:procmail_t:s0 tcontext=user_u:object_r:var_log_t:s0 tclass=file Paul. From notting at redhat.com Tue Apr 18 18:41:34 2006 From: notting at redhat.com (Bill Nottingham) Date: Tue, 18 Apr 2006 14:41:34 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060418184134.GC8935@devserv.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > > However, relabeling the files then fails - for each type that I'm > > putting on tmpfs, I need to add: > > > > allow tmpfs_t:filesystem associate; > > > > before relabelling works. > > > > This seems strange - is this something that should be fixed in > > the stock policy, or should I just carry this in my own module? > > One option is to use a fscontext= mount option to change the security > context associated with the filesystem/superblock object to match your > usage, e.g. making it fs_t like a conventional filesystem rather than > tmpfs_t. e.g. > mount -o fscontext=system_u:object_r:fs_t:s0 ... Considering this is scratch space that will be used just like the 'stock' filesystem for various things (/var, /etc state files, etc.), this seems to be the right solution. I'll try this. Bill From knute at frazmtn.com Tue Apr 18 20:01:15 2006 From: knute at frazmtn.com (Knute Johnson) Date: Tue, 18 Apr 2006 13:01:15 -0700 Subject: Question about log entries Message-ID: <4444E31B.25031.E09FE8@knute.frazmtn.com> I really don't have a good grasp on how selinux works so simple explanations will be better. This showed up in my log this morning. What would generate this sort of an entry? Thanks, knute... --------------------- Selinux Audit Begin ------------------------ *** Denials *** user_u system_u (file): 48 times user_u user_u (process): 1 times ---------------------- Selinux Audit End ------------------------- -- Knute Johnson Molon Labe... From mc-al34luc at sbcglobal.net Tue Apr 18 20:39:08 2006 From: mc-al34luc at sbcglobal.net (Mike Carney) Date: Tue, 18 Apr 2006 13:39:08 -0700 Subject: hald / <> / semanage Message-ID: I posted the following a few days ago. Some more information: It seems that all hald wants to do is view the root directory of the mounted filesystem. After downloading, installing, and viewing the policy source files, it seems rather excessive to grant hald permission to search all directories on the mounted volume. Is the fix to change the policy to simply not to audit the attempts of the hald domain to get attributes of all filesystems? Or add a rule to always relabel the root directory of any r/w filesystem to some standard context the hald domain is granted access to? Finally, there doesn't appear to be a way to convince semanage to accept the '<>' (don't recurse when relabeling) keyword when adding a context. Is this a bug? Guidance as to what the right thing to do would be appreciated (I don't mind submitting a bug, just as long as I have the right information to place in it). TIA. > Re: FC5: what context should I use for extra ext3 filesystems? > Daniel J Walsh wrote: > > ? > > Ok lets fix hal then. ?What is it complaining about? > > 45# audit2why < /tmp/y > type=AVC msg=audit(1145036599.405:1110): avc: ?denied ?{ search } for > pid=2452 comm="hald" name="export" dev=sdb2 ino=8161 > scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:default_t:s0 tclass=dir > ? ? ? ? Was caused by: > ? ? ? ? ? ? ? ? Missing or disabled TE allow rule. > ? ? ? ? ? ? ? ? Allow rules may exist but be disabled by boolean settings; > check boolean settings. > ? ? ? ? ? ? ? ? You can see the necessary allow rules by running audit2allow > with this audit message as input. > > > > Looks like we need: > > 47# audit2allow < /tmp/y > allow hald_t default_t:dir search; > 48# > > BTW, how does one use semanage to ?specify that a context not recurse > to subdirectories? (e.g. <>). From notting at redhat.com Tue Apr 18 20:42:45 2006 From: notting at redhat.com (Bill Nottingham) Date: Tue, 18 Apr 2006 16:42:45 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060418184134.GC8935@devserv.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> Message-ID: <20060418204245.GB17013@devserv.devel.redhat.com> Bill Nottingham (notting at redhat.com) said: > Stephen Smalley (sds at tycho.nsa.gov) said: > > > However, relabeling the files then fails - for each type that I'm > > > putting on tmpfs, I need to add: > > > > > > allow tmpfs_t:filesystem associate; > > > > > > before relabelling works. > > > > > > This seems strange - is this something that should be fixed in > > > the stock policy, or should I just carry this in my own module? > > > > One option is to use a fscontext= mount option to change the security > > context associated with the filesystem/superblock object to match your > > usage, e.g. making it fs_t like a conventional filesystem rather than > > tmpfs_t. e.g. > > mount -o fscontext=system_u:object_r:fs_t:s0 ... > > Considering this is scratch space that will be used just like > the 'stock' filesystem for various things (/var, /etc state > files, etc.), this seems to be the right solution. I'll try > this. So, this doesn't work for me... the initial mount of the tmpfs fails (with no avc). Subsequent mounts succeed, but, well, at that point you're screwed. Bill From notting at redhat.com Tue Apr 18 20:48:34 2006 From: notting at redhat.com (Bill Nottingham) Date: Tue, 18 Apr 2006 16:48:34 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060418204245.GB17013@devserv.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> Message-ID: <20060418204834.GD17013@devserv.devel.redhat.com> Bill Nottingham (notting at redhat.com) said: > > > mount -o fscontext=system_u:object_r:fs_t:s0 ... > > > > Considering this is scratch space that will be used just like > > the 'stock' filesystem for various things (/var, /etc state > > files, etc.), this seems to be the right solution. I'll try > > this. > > So, this doesn't work for me... the initial mount of the tmpfs > fails (with no avc). Subsequent mounts succeed, but, well, at that point > you're screwed. Aha, it's failing because system_u:system_r:mount_t can't relabel a filesystem to system_u:object_r:fs_t. Bill From goeran at uddeborg.se Tue Apr 18 21:37:35 2006 From: goeran at uddeborg.se (=?iso-8859-1?q?G=F6ran_Uddeborg?=) Date: Tue, 18 Apr 2006 23:37:35 +0200 Subject: Exporting NTFS filesystems over NFS (again) Message-ID: <17477.23583.684283.614305@mimmi.uddeborg.se> In a kind of a d?ja vu (https://www.redhat.com/archives/fedora-selinux-list/2005-October/msg00101.html) I am no longer able to mount NTFS filesystems over NFS. I include the audit messages below. If I understand things correctly, the catch is that nfsd_t domain processes are not allowed to do getattr on a directories of the dosfs_t. Last time, under FC4, my problem was that the policy had not been properly reloaded on upgrades. The policy did actually allow the operation. But I do not understand how this could work now. The dosfs_t has attribute noxattrfs just like in the FC4 policy. But I can not find anything allowing nfsd_t to do getattr on noxattrfs. Looking at the code, my impression is that there ought to be "fs_list_noxattr_fs(nfsd_t)" delcarations in the nfs_export_all_rw/ro clauses in rpc.te. That would allow nfsd_t to access directories on noxattr filesystems. As it is now it is allowed to read FILES there (through "fs_read_noxattr_fs_files(nfsd_t)"), but not do anything with directories. (Except "search", so it can get to the files.) And that is apparently not enough. Am I just confused, or is there indeed a bug here? type=AVC msg=audit(1145364546.934:3950): avc: denied { getattr } for pid=14600 comm="rpc.mountd" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir type=SYSCALL msg=audit(1145364546.934:3950): arch=40000003 syscall=195 success=no exit=-13 a0=56570dd1 a1=ffffcb7c a2=f7fa6ff4 a3=ffffcb7c items=1 pid=14600 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.mountd" exe="/usr/sbin/rpc.mountd" type=AVC_PATH msg=audit(1145364546.934:3950): path="/mnt/remote/teddi" type=CWD msg=audit(1145364546.934:3950): cwd="/var/lib/nfs" type=PATH msg=audit(1145364546.934:3950): item=0 name="/mnt/remote/teddi" flags=1 inode=5 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00 From sds at tycho.nsa.gov Wed Apr 19 11:47:25 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 19 Apr 2006 07:47:25 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060418204245.GB17013@devserv.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> Message-ID: <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-04-18 at 16:42 -0400, Bill Nottingham wrote: > > Considering this is scratch space that will be used just like > > the 'stock' filesystem for various things (/var, /etc state > > files, etc.), this seems to be the right solution. I'll try > > this. > > So, this doesn't work for me... the initial mount of the tmpfs > fails (with no avc). Subsequent mounts succeed, but, well, at that point > you're screwed. Any other messages in /var/log/messages from SELinux (not just avc)? e.g. SELinux: security_context_to_sid(xxx) failed ... It may be necessary to add allow rules to enable the fscontext= mount to succeed, although I would have expected that to generate an avc denial if that were the issue (unless suppressed by a dontaudit, but that seems wrong). You would need to allow :filesystem relabelfrom; allow :filesystem relabelto; Dan? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Apr 19 12:31:52 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 19 Apr 2006 08:31:52 -0400 Subject: hald / <> / semanage In-Reply-To: References: Message-ID: <1145449912.24289.30.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-04-18 at 13:39 -0700, Mike Carney wrote: > I posted the following a few days ago. Some more information: > > It seems that all hald wants to do is view the root directory of the > mounted filesystem. After downloading, installing, and viewing the > policy source files, it seems rather excessive to grant hald > permission to search all directories on the mounted volume. > > Is the fix to change the policy to simply not to audit the attempts > of the hald domain to get attributes of all filesystems? No, it should be allowed to get attributes of all filesystems; otherwise, parts of the desktop will break. Didn't this already come up? > Or add a rule to always relabel the root directory of any r/w filesystem > to some standard context the hald domain is granted access to? > > Finally, there doesn't appear to be a way to convince semanage to accept > the '<>' (don't recurse when relabeling) keyword when adding a > context. Is this a bug? There is no recursion inherent in file contexts - it is only if you specify a regex that has (/.*)? tail that it is applied to all files under the directory too. <> is if you don't want setfiles to touch the file label at all (ever). > Guidance as to what the right thing to do would be appreciated (I don't > mind submitting a bug, just as long as I have the right information to > place in it). -- Stephen Smalley National Security Agency From notting at redhat.com Wed Apr 19 14:12:46 2006 From: notting at redhat.com (Bill Nottingham) Date: Wed, 19 Apr 2006 10:12:46 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060419141246.GA7424@devserv.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > On Tue, 2006-04-18 at 16:42 -0400, Bill Nottingham wrote: > > > Considering this is scratch space that will be used just like > > > the 'stock' filesystem for various things (/var, /etc state > > > files, etc.), this seems to be the right solution. I'll try > > > this. > > > > So, this doesn't work for me... the initial mount of the tmpfs > > fails (with no avc). Subsequent mounts succeed, but, well, at that point > > you're screwed. > > Any other messages in /var/log/messages from SELinux (not just avc)? > e.g. SELinux: security_context_to_sid(xxx) failed ... Sorry, I misspoke - I did find the avc later - it was system_u:system_r:mount_t being unable to relabel a filesystem to system_u:object_r:fs_t. > It may be necessary to add allow rules to enable the fscontext= mount to > succeed, although I would have expected that to generate an avc denial > if that were the issue (unless suppressed by a dontaudit, but that seems > wrong). You would need to allow > :filesystem relabelfrom; allow > :filesystem relabelto; Dan? Is this something generally useful, or something I should add along with the various 'mounton' policies I need to create? Related question: is there a way to install policy modules that are available for use, but not used? Having to remove the module entirely, and then rebuild/recopy it when it's needed, seems to be overkill. Bill From paul at city-fan.org Wed Apr 19 15:41:42 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 19 Apr 2006 16:41:42 +0100 Subject: Create new types in modules? In-Reply-To: <1145021268.11164.48.camel@moss-spartans.epoch.ncsc.mil> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> <443E4F63.8010306@city-fan.org> <443F9B73.8070302@redhat.com> <1145021268.11164.48.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <44465A36.1070201@city-fan.org> Stephen Smalley wrote: > On Fri, 2006-04-14 at 08:54 -0400, Daniel J Walsh wrote: >>> Excellent - thanks. >>> >>> Now why isn't this doing what I expect: >>> >>> # semanage fcontext -a -t mock_root_t \ >>> /usr/share/fsdata/mock/'[^/]*/root(/.*)?' >>> # mkdir /usr/share/fsdata/mock/redhat-8.0-i386-core/root >>> # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core >>> drwxrwsr-x paul mock user_u:object_r:usr_t result >>> drwxr-sr-x root mock root:object_r:usr_t root >>> drwxrwsr-x paul mock user_u:object_r:usr_t state >>> # restorecon -v /usr/share/fsdata/mock/redhat-8.0-i386-core/root >>> restorecon reset /usr/share/fsdata/mock/redhat-8.0-i386-core/root >>> context root:object_r:usr_t->system_u:object_r:mock_root_t >>> # ls -lZ /usr/share/fsdata/mock/redhat-8.0-i386-core >>> drwxrwsr-x paul mock user_u:object_r:usr_t result >>> drwxr-sr-x root mock system_u:object_r:mock_root_t root >>> drwxrwsr-x paul mock user_u:object_r:usr_t state >>> >>> Why doesn't the directory >>> /usr/share/fsdata/mock/redhat-8.0-i386-core/root get created as type >>> mock_root_t in the first place rather than having to do the restorecon >>> on it? >>> >> You need to tell mkdir which context to create it with or write a >> transition rule in policy that says when context ABC_t creates files in >> directories labeled DEF_T, create them GEH_T. >> >> You can also look ad mkdir -Z. > > A bit of explanation: The file contexts configuration is only intended > to establish the initial state of the filesystem, for use by programs > like rpm and install, based on some external knowledge about the > security properties of files and some assumptions about secure creation > and distribution of the packages in the first place. For normal file > creation at runtime, we don't want to rely on anything path-based at all > because that doesn't tell us anything about the real security properties > of the object; we want to label the files in accordance with the > security properties of their creator, related objects (e.g. parent > directory), and the runtime kernel policy (type transition rules). So a > directory created by mkdir isn't going to automatically pick up the > context defined in file_contexts. The user can force it to that context > (if allowed to do so by policy) via mkdir -Z or by running restorecon > after the fact, but that does require explicit action by the user, and > won't be allowed under some policies. OK, what I've got now is as follows: mock.if: ######################################## ## ## Create objects in the /var/lib/mock directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## # interface(`files_var_lib_mock_filetrans',` gen_require(` type var_t, var_lib_t, mock_var_lib_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir search_dir_perms; allow $1 mock_var_lib_t:dir rw_dir_perms; type_transition $1 mock_var_lib_t:$3 $2; ') mock.fc: /var/lib/mock(/[^/]*)? gen_context(system_u:object_r:mock_var_lib_t,s0) /var/lib/mock/[^/]*/.* gen_context(system_u:object_r:mock_root_t,s0) mock.te: policy_module(mock, 0.5) require { type unconfined_t; }; # New types for mock, used for files type mock_root_t; files_type(mock_root_t) type mock_var_lib_t; files_type(mock_var_lib_t) # Type transition needed to ensure roots get created as mock_root_t files_var_lib_mock_filetrans(unconfined_t,mock_root_t,{ file dir }) # Old libraries may need execmod permission allow unconfined_t mock_root_t:file execmod; This all seems to work very nicely, provided the module is loaded before mock is installed so that /var/lib/mock gets created as mock_var_lib_t Otherwise, a restorecon is needed. Cheers, Paul. From m3freak at rogers.com Wed Apr 19 20:42:55 2006 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 19 Apr 2006 16:42:55 -0400 Subject: SElinux Removal? In-Reply-To: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> References: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> Message-ID: <1145479375.9591.26.camel@krs> On Thu, 2006-13-04 at 17:52 +0100, idonttrustmspassport at ktcasey.plus.com wrote: > Is it possible to remove SELinux completely during FC5 installation, or > even when installed? Speaking about removal, I have my own problems with the damn thing. I have NEVER been able to run Request Tracker on a Red Hat machine with SElinux in enforcing mode. I've tried customizing my local policy, but even when no more AVC's are printed to the log file, RT still refuses to run. Put SElinux into permissive mode, and viola, RT is running again. I know personally of 5 businesses that completely abandoned RHEL 4 because they could not get their apps to work with SElinux enabled. So, they made the enlightened decision to go back to RH9. Brilliant. Ah well. I'm hoping one day SElinux will be much easier to admin and use. For now, what a massive pain in the ass. BTW, you should be able to put SElinux into permissive mode. That effectively turns SElinux "off" (not completely, but I bet you really don't care for the explanation). :) Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.16-1.2069_FC4 i686 GNU/Linux 16:33:02 up 10:02, 3 users, load average: 0.16, 0.36, 0.38 From paul at city-fan.org Wed Apr 19 20:56:44 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 19 Apr 2006 21:56:44 +0100 Subject: SElinux Removal? In-Reply-To: <1145479375.9591.26.camel@krs> References: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> <1145479375.9591.26.camel@krs> Message-ID: <1145480205.3498.4.camel@laurel.intra.city-fan.org> On Wed, 2006-04-19 at 16:42 -0400, Kanwar Ranbir Sandhu wrote: > On Thu, 2006-13-04 at 17:52 +0100, idonttrustmspassport at ktcasey.plus.com > wrote: > > Is it possible to remove SELinux completely during FC5 installation, or > > even when installed? > > Speaking about removal, I have my own problems with the damn thing. I > have NEVER been able to run Request Tracker on a Red Hat machine with > SElinux in enforcing mode. I've tried customizing my local policy, but > even when no more AVC's are printed to the log file, RT still refuses to > run. Put SElinux into permissive mode, and viola, RT is running again. The Fedora Extras rt3 package contains a README.fedora file that tells you how to get it to work under SELinux. > I know personally of 5 businesses that completely abandoned RHEL 4 > because they could not get their apps to work with SElinux enabled. So, > they made the enlightened decision to go back to RH9. Brilliant. > > Ah well. I'm hoping one day SElinux will be much easier to admin and > use. For now, what a massive pain in the ass. > > BTW, you should be able to put SElinux into permissive mode. That > effectively turns SElinux "off" (not completely, but I bet you really > don't care for the explanation). :) # setenforce 0 Paul. From m3freak at rogers.com Wed Apr 19 21:01:00 2006 From: m3freak at rogers.com (Kanwar Ranbir Sandhu) Date: Wed, 19 Apr 2006 17:01:00 -0400 Subject: SElinux Removal? In-Reply-To: <1145480205.3498.4.camel@laurel.intra.city-fan.org> References: <3.0.6.32.20060413175251.00adcb60@mail.plus.net> <1145479375.9591.26.camel@krs> <1145480205.3498.4.camel@laurel.intra.city-fan.org> Message-ID: <1145480460.9591.30.camel@krs> On Wed, 2006-19-04 at 21:56 +0100, Paul Howarth wrote: > The Fedora Extras rt3 package contains a README.fedora file that tells > you how to get it to work under SELinux. Holy crap! I had no idea it existed. I run CentOS 4 and RHEL 4 on my servers. Fedora is only used on my laptop, so I have no need to install RT from the Extras repo. A big thank you for pointing that out, Paul. I have some reading to do now. :) Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.16-1.2069_FC4 i686 GNU/Linux 16:58:23 up 10:28, 3 users, load average: 0.74, 0.58, 0.41 From tonynelson at georgeanelson.com Thu Apr 20 02:47:39 2006 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Wed, 19 Apr 2006 22:47:39 -0400 Subject: FC5 CUPS and Netatalk (fixed?) Message-ID: I've just fixed an SELinux policy issue on FC5, printing via CUPS to a printer connected via Netatalk (AppleTalk). I upgrade installed from FC3 to FC5. I had Netatalk 1.6.x on FC3, with SELinux enforcing, and could print via CUPS over Ethernet to a printer on a Mac on Localtalk. After the upgrade (and getting Netatalk working again) it would only print with SELinux in permissive mode. After a few tries, I collected the following AVC messages and used audit2allow to make the module below, installed it, and printing works again. I don't know if this module is exactly right, or even if it is generally needed by CUPS or only for PAP with Netatalk. type=AVC msg=audit(1145484476.381:82): avc: denied { create } for pid=8035 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket type=AVC msg=audit(1145485638.551:86): avc: denied { bind } for pid=8215 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket type=AVC msg=audit(1145485978.490:91): avc: denied { getattr } for pid=8291 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket type=AVC msg=audit(1145486131.769:96): avc: denied { write } for pid=8336 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket type=AVC msg=audit(1145486380.729:103): avc: denied { read } for pid=8408 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket ------- pap.te ------- module pap 1.0; require { class socket { bind create getattr read write }; type cupsd_t; }; allow cupsd_t self:socket { bind create getattr read write }; ------- ____________________________________________________________________ TonyN.:' ' From jreiser at BitWagon.com Thu Apr 20 05:52:28 2006 From: jreiser at BitWagon.com (John Reiser) Date: Wed, 19 Apr 2006 22:52:28 -0700 Subject: Does MAP_FIXED inhibit execmem denial? Message-ID: <4447219C.20301@BitWagon.com> I develop the Linux+ELF side of UPX, which compresses executable programs to save storage space and invocation time. Immediately after kernel execve() of a compressed program, a small decompressor reconstructs the original PT_LOADs directly into address space; then execution proceeds as usual. The decompression writes instructions which execute later, directly into pages with both PROT_WRITE and PROT_EXEC, so perhaps there should be a { denied } avc due to execmem when SELinux is in enforcing mode. Reading the explanation of execmem in http://people.redhat.com/drepper/selinux-mem.html supports this theory. However, under all released FC5 kernels including 2.6.16-1.2096_FC5, I see no execmem complaints. Strace of typical execution begins: ----- old_mmap(0xc06000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0xc06000) = 0xc06000 /* interval [0xc06000, +4096) is written and executed >now< */ old_mmap(0x8048000, 45056, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x8048000 old_mmap(0x8048000, 40647, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x8048000 /* interval [0x8048000, +40644) is written >now< */ mprotect(0x8048000, 40644, PROT_READ|PROT_EXEC) = 0 /* interval [0x8048000, +40644) is executed later */ old_mmap(0x8052000, 3800, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0xa000) = 0x8052000 ----- Notice that the first and third old_mmap() specify (PROT_WRITE | PROT_EXEC) with (MAP_FIXED | MAP_ANONYMOUS) [and other bits, too.] SELinux was is targeted enforcing mode, and this was an unconfined compressed executable. How did these system calls evade being denied due to execmem? -- From paul at city-fan.org Thu Apr 20 14:30:49 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 20 Apr 2006 15:30:49 +0100 Subject: Create new types in modules? In-Reply-To: <44465A36.1070201@city-fan.org> References: <1144913765.23369.30.camel@laurel.intra.city-fan.org> <1144930120.7020.11.camel@moss-spartans.epoch.ncsc.mil> <1144930821.7020.18.camel@moss-spartans.epoch.ncsc.mil> <443E4F63.8010306@city-fan.org> <443F9B73.8070302@redhat.com> <1145021268.11164.48.camel@moss-spartans.epoch.ncsc.mil> <44465A36.1070201@city-fan.org> Message-ID: <44479B19.9030707@city-fan.org> Paul Howarth wrote: > OK, what I've got now is as follows: ... (yesterday's mock policy module snipped) ... I've rewritten the mock policy now because I came across another problem with it: trying to run mono under mock to build mono apps failed with execheap violations. This couldn't be fixed as simply as the execmod issues with old libraries, so I've ended up having mock run in its own domain, mock_t (much like mono would normally run in mono_t) and having mock_t able to do execheap and execmem, as per the current policy for mono_t. Full details for anyone that's interested here: http://www.city-fan.org/tips/PaulHowarth/Blog/2006-04-20 I'll give this a few days whilst I see if any more issues crop up, and then I'll update the fedoraproject wiki with the details. Or it might eventually be an idea to include it in Core policy. Paul. From sds at tycho.nsa.gov Thu Apr 20 16:19:12 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 20 Apr 2006 12:19:12 -0400 Subject: Does MAP_FIXED inhibit execmem denial? In-Reply-To: <4447219C.20301@BitWagon.com> References: <4447219C.20301@BitWagon.com> Message-ID: <1145549952.3313.135.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-19 at 22:52 -0700, John Reiser wrote: > I develop the Linux+ELF side of UPX, which compresses executable programs > to save storage space and invocation time. Immediately after kernel > execve() of a compressed program, a small decompressor reconstructs > the original PT_LOADs directly into address space; then execution proceeds > as usual. The decompression writes instructions which execute later, > directly into pages with both PROT_WRITE and PROT_EXEC, so perhaps > there should be a { denied } avc due to execmem when SELinux is in > enforcing mode. Reading the explanation of execmem in > http://people.redhat.com/drepper/selinux-mem.html > supports this theory. > > However, under all released FC5 kernels including 2.6.16-1.2096_FC5, > I see no execmem complaints. Strace of typical execution begins: Hmmm...shouldn't. # /usr/sbin/getsebool allow_execmem (If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a confined domain.) # cat /selinux/checkreqprot # execstack -q /path/to/program -- Stephen Smalley National Security Agency From jreiser at BitWagon.com Thu Apr 20 18:16:23 2006 From: jreiser at BitWagon.com (John Reiser) Date: Thu, 20 Apr 2006 11:16:23 -0700 Subject: Does MAP_FIXED inhibit execmem denial? In-Reply-To: <1145549952.3313.135.camel@moss-spartans.epoch.ncsc.mil> References: <4447219C.20301@BitWagon.com> <1145549952.3313.135.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4447CFF7.2020206@BitWagon.com> Stephen Smalley wrote: >>However, under all released FC5 kernels including 2.6.16-1.2096_FC5, >>I see no execmem complaints. Strace of typical execution begins: > > > Hmmm...shouldn't. > > # /usr/sbin/getsebool allow_execmem > (If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a > confined domain.) > # cat /selinux/checkreqprot > # execstack -q /path/to/program Thank you for diagnosing. allow_execmem is "on" under the installed selinux-policy-targeted-2.2.29-3.fc5. [There have been no changes to booleans after default install of FC5 except via "yum upgrade".] Transcript: ----- # /usr/sbin/getsebool allow_execmem allow_execmem --> on # /usr/sbin/setsebool allow_execmem=0 # cat /selinux/checkreqprot ## Note the output '1' on the next line. 1# execstack -q ./date.OK execstack: "./date.OK" has no section headers ## The info would be in a PT_GNU_STACK Elf32_Phdr "segment header", ## not in any Elf32_Shdr. ## But anyway, there is no PT_GNU_STACK in ./date.OK, either. # strace ./date.OK execve("./date.OK", ["./date.OK"], [/* 22 vars */]) = 0 old_mmap(0xc06000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, \ -1, 0xc06000) = -1 EACCES (Permission denied) ## Now I understand. # rpm -qa | grep selinux libselinux-devel-1.30-1.fc5 selinux-policy-2.2.29-3.fc5 selinux-policy-targeted-2.2.29-3.fc5 libselinux-1.30-1.fc5 libselinux-python-1.30-1.fc5 # ----- -- From dwalsh at redhat.com Thu Apr 20 18:18:51 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Apr 2006 14:18:51 -0400 Subject: httpd and newly mounted file systems In-Reply-To: <947D3D2083E1684CA55CD82A7692147601746EBA@akexg01.internal.etsl.co.nz> References: <947D3D2083E1684CA55CD82A7692147601746EBA@akexg01.internal.etsl.co.nz> Message-ID: <4447D08B.4030901@redhat.com> Michael Chester wrote: > Hi all, > > I've recently added a new filesystem on a new disk to our system and would like to RTM to understand how to get httpd to be able to access it. I have been unable to locate suitable documentation on how to do this. Currently I just get a message telling me that httpd is unable to list '/'. If someone could point me at a piece of doco or an earlier thread on the topic of how to do this I would really appreciate it. Thanks in advance. > > Have you looked at the FAQ? http://fedora.redhat.com/docs/selinux-faq-fc5 Also lots of info at http://fedoraproject.org/wiki/SELinux > Regards, > Michael C > > This electronic message together with any attachments is confidential, > and may be privileged. It is intended solely for the addressee. If you are > not the intended recipient do not copy, disclose, or use the contents in > any way and please notify us by return e-mail immediately, then > destroy the message. ETSL is not responsible for any changes made to > this message and/or any attachments after sending by ETSL. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Apr 20 18:26:43 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Apr 2006 14:26:43 -0400 Subject: Question about log entries In-Reply-To: <4444E31B.25031.E09FE8@knute.frazmtn.com> References: <4444E31B.25031.E09FE8@knute.frazmtn.com> Message-ID: <4447D263.9060009@redhat.com> Knute Johnson wrote: > I really don't have a good grasp on how selinux works so simple > explanations will be better. This showed up in my log this morning. > What would generate this sort of an entry? > > Thanks, > > knute... > > --------------------- Selinux Audit Begin ------------------------ > > *** Denials *** > user_u system_u (file): 48 times > user_u user_u (process): 1 times > > ---------------------- Selinux Audit End ------------------------- > > Could you attach the actual log? From notting at redhat.com Thu Apr 20 18:38:16 2006 From: notting at redhat.com (Bill Nottingham) Date: Thu, 20 Apr 2006 14:38:16 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060420183816.GA1196@nostromo.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > It may be necessary to add allow rules to enable the fscontext= mount to > succeed, although I would have expected that to generate an avc denial > if that were the issue (unless suppressed by a dontaudit, but that seems > wrong). You would need to allow > :filesystem relabelfrom; allow > :filesystem relabelto; Dan? OK, once doing this, I get: avc: denied { search } for pid=1688 comm="mount" name="/" dev=tmpfs ino=5444 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=dir And, then, expectedly, after fixing that, restorecon can't getattr/read/etc fs_t. I seem to be stuck in a neverending cascade of AVCs. What's generally wrong here? The usage model is this: 1) mount a tmpfs under /var somewhere 2) take a predefined list of dirs and files, and for each one: a) copy it to that tmpfs b) bind mount it over its original location c) restrorecon @ the original location, to get the contexts right This shouldn't be *that* hard to get working with policy, should it? Bill From orion at cora.nwra.com Thu Apr 20 20:48:44 2006 From: orion at cora.nwra.com (Orion Poplawski) Date: Thu, 20 Apr 2006 14:48:44 -0600 Subject: Relabeling nfs_t files Message-ID: I have a problem where occasionally files end up with the nfs_t context on local filesystems, presumably due to folks moving them there off of nfs mounts. However, these files cannot be backed up by amanda. My thought was to run restorecon or fixfiles regularly on the directory tree to reset the context, but I get: audit(1145565590.726:16283): avc: denied { getattr } for pid=22182 comm="restorecon" name="TT_v2.mat" dev=sda1 ino=204482 scontext=root:system_r:restorecon_t tcontext=system_u:object_r:nfs_t tclass=file So, what to do? Thanks! From tonynelson at georgeanelson.com Fri Apr 21 00:32:40 2006 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Thu, 20 Apr 2006 20:32:40 -0400 Subject: Trouble with dump / restore Message-ID: This is probably only marginally related to SELinux. I'm trying to learn how to use dump and restore (via DVD+/-R), and I've gotten it working to the point where the files seem to be OK but the SELinux Extended Attributes are not. I used the commands (as root, with / being LogVol02): # mount -r /dev/VolGroup00/LogVol00 /mnt/lv00 # dump -0 -L xxx -B 4590208 -f /tmp/dumpdvd /dev/VolGroup00/LogVol00 [cdrecord used once per tape, from another terminal] # cdrecord -v -sao dev=dvd -data /tmp/dumpdvd # restore -C -f /dev/dvd OK, some of that is superstition, but it works except for about one of these messages for each file, and no other errors (according to grep -v): ./path/to/file: EA foo_x:object_r:bar_y value changed What am I doing wrong? ____________________________________________________________________ TonyN.:' ' From paul at city-fan.org Fri Apr 21 07:52:29 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 21 Apr 2006 08:52:29 +0100 Subject: Another mount issue Message-ID: <1145605949.27071.16.camel@laurel.intra.city-fan.org> On my file/web/samba/nfs server I have a software archive, which I serve out using both samba and httpd. So the whole thing as public_content_rw_t, and the appropriate boolean set so that samba can write to it. On the software archive I have DVD ISO images of FC4 and FC5. I have fstab entries for these to loopback mount them as follows: /srv/softlib/fedora/stentz/FC4-i386-DVD.iso /srv/softlib/fedora/stentz/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0 /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0 Unfortunately the mount won't work at boot time because mount is confined to the mount_t domain, which can't read public_content_rw_t: Apr 21 08:40:21 badby kernel: audit(1145605218.512:331): avc: denied { read } for pid=1469 comm="mount" name="FC4-i386-DVD.iso" dev=dm-5 ino=1032205 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file Apr 21 08:40:21 badby kernel: audit(1145605218.564:332): avc: denied { read } for pid=1469 comm="mount" name="FC-5-i386-DVD.iso" dev=dm-5 ino=606259 scontext=system_u:system_r:mount_t:s0 tcontext=root:object_r:public_content_rw_t:s0 tclass=file A "mount -a" after booting works fine as it then runs unconfined. Is this something that should be generally allowed or should I just write local policy to fix this? Paul. From paul at city-fan.org Fri Apr 21 10:02:06 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 21 Apr 2006 11:02:06 +0100 Subject: procmail In-Reply-To: <4445212A.2060708@city-fan.org> References: <443BCBFB.2050104@city-fan.org> <443FB650.1040309@redhat.com> <4445212A.2060708@city-fan.org> Message-ID: <4448AD9E.1090909@city-fan.org> Paul Howarth wrote: > One of the actions a procmail recipe can have is to forward > mail somewhere else. It uses sendmail to do this. Running sendmail from > procmail doesn't seem to involve a domain transition, so I get: > > Try to read alternatives link for sendmail: > Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.428:12692): avc: > denied { read } for pid=4316 comm="procmail" name="sendmail" dev=dm-3 > ino=131309 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file > > Try to run sendmail: > Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.432:12693): avc: > denied { execute } for pid=4316 comm="procmail" > name="sendmail.sendmail" dev=dm-3 ino=131306 > scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file > Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12694): avc: > denied { execute_no_trans } for pid=4316 comm="procmail" > name="sendmail.sendmail" dev=dm-3 ino=131306 > scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file > Apr 18 18:10:12 goalkeeper kernel: audit(1145380212.436:12695): avc: > denied { read } for pid=4316 comm="procmail" name="sendmail.sendmail" > dev=dm-3 ino=131306 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file I see from rawhide report that something to address this has gone into selinux-policy-2.2.34-2 (thanks). Anyway, I tried fixing it myself as follows yesterday: module procmail 0.1; require { role object_r; role system_r; class dir { add_name getattr read remove_name search write }; class file { append create execute execute_no_trans getattr ioctl lock read rename unlink write }; class lnk_file read; class process { noatsecure sigchld siginh transition rlimitinh }; class fd { use }; class fifo_file { getattr read write append ioctl lock }; type procmail_t; type var_log_t; type sbin_t; }; # Needed for writing to /var/log/procmail.log allow procmail_t var_log_t:dir search; allow procmail_t var_log_t:file append; # Procmail needs to call sendmail for forwarding allow procmail_t sbin_t:lnk_file read; optional_policy(`sendmail',` sendmail_domtrans(procmail_t) ') This does seem to work but surely there's a tidier way of handling those class requirements? What am I missing? Paul. From sds at tycho.nsa.gov Fri Apr 21 11:38:45 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 21 Apr 2006 07:38:45 -0400 Subject: Does MAP_FIXED inhibit execmem denial? In-Reply-To: <4447CFF7.2020206@BitWagon.com> References: <4447219C.20301@BitWagon.com> <1145549952.3313.135.camel@moss-spartans.epoch.ncsc.mil> <4447CFF7.2020206@BitWagon.com> Message-ID: <1145619525.21749.3.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-20 at 11:16 -0700, John Reiser wrote: > Stephen Smalley wrote: > > >>However, under all released FC5 kernels including 2.6.16-1.2096_FC5, > >>I see no execmem complaints. Strace of typical execution begins: > > > > > > Hmmm...shouldn't. > > > > # /usr/sbin/getsebool allow_execmem > > (If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a > > confined domain.) > > # cat /selinux/checkreqprot > > # execstack -q /path/to/program > > Thank you for diagnosing. allow_execmem is "on" under the installed > selinux-policy-targeted-2.2.29-3.fc5. [There have been no changes > to booleans after default install of FC5 except via "yum upgrade".] Yes, execmem is allowed by default to the unconfined_t domain, so you have to consciously choose to disable it. Otherwise, the system would be broken out of the box for a lot of users. setsebool -P to make that permanent (preserved across reboots). But note it will break some programs. > > Transcript: > ----- > # /usr/sbin/getsebool allow_execmem > allow_execmem --> on > # /usr/sbin/setsebool allow_execmem=0 > # cat /selinux/checkreqprot ## Note the output '1' on the next line. > 1# execstack -q ./date.OK > execstack: "./date.OK" has no section headers > ## The info would be in a PT_GNU_STACK Elf32_Phdr "segment header", > ## not in any Elf32_Shdr. > ## But anyway, there is no PT_GNU_STACK in ./date.OK, either. > > # strace ./date.OK > execve("./date.OK", ["./date.OK"], [/* 22 vars */]) = 0 > old_mmap(0xc06000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, \ > -1, 0xc06000) = -1 EACCES (Permission denied) ## Now I understand. > # rpm -qa | grep selinux > libselinux-devel-1.30-1.fc5 > selinux-policy-2.2.29-3.fc5 > selinux-policy-targeted-2.2.29-3.fc5 > libselinux-1.30-1.fc5 > libselinux-python-1.30-1.fc5 > # > ----- > -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Apr 21 11:51:44 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 21 Apr 2006 07:51:44 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060420183816.GA1196@nostromo.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> Message-ID: <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-20 at 14:38 -0400, Bill Nottingham wrote: > Stephen Smalley (sds at tycho.nsa.gov) said: > > It may be necessary to add allow rules to enable the fscontext= mount to > > succeed, although I would have expected that to generate an avc denial > > if that were the issue (unless suppressed by a dontaudit, but that seems > > wrong). You would need to allow > > :filesystem relabelfrom; allow > > :filesystem relabelto; Dan? > > OK, once doing this, I get: > > avc: denied { search } for pid=1688 comm="mount" name="/" dev=tmpfs ino=5444 > scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fs_t:s0 > tclass=dir Ah, yes. tmpfs / fs_use_trans is a bit different; inodes are labeled based on transition SID computed from allocating task SID and superblock SID. > And, then, expectedly, after fixing that, restorecon can't getattr/read/etc > fs_t. > > I seem to be stuck in a neverending cascade of AVCs. What's generally > wrong here? > > The usage model is this: > > 1) mount a tmpfs under /var somewhere > 2) take a predefined list of dirs and files, and for each one: > a) copy it to that tmpfs > b) bind mount it over its original location > c) restrorecon @ the original location, to get the contexts right > > This shouldn't be *that* hard to get working with policy, should it? This is beginning to make me think that fs_use_trans behavior isn't quite what it needs to be, or that we need an alternate (new) behavior for tmpfs. tmpfs has always been a bit of a sore spot because of its multiple uses for the kernel-internal shm mount, the userspace POSIX shm mount, and any other arbitrary use. Possibly stupid question: Will files be created dynamically in these tmpfs mounts at runtime? Do you expect them to follow the traditional inherit-from-parent-directory behavior you get from ext3? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Apr 21 12:12:38 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 21 Apr 2006 08:12:38 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1145621558.21749.21.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-21 at 07:51 -0400, Stephen Smalley wrote: > On Thu, 2006-04-20 at 14:38 -0400, Bill Nottingham wrote: > Possibly stupid question: Will files be created dynamically in these > tmpfs mounts at runtime? Do you expect them to follow the traditional > inherit-from-parent-directory behavior you get from ext3? Sorry, not enough caffeine here. They already do follow that behavior (via inode_init_security hook call from tmpfs). Only problem here is getting the right label on the root directory inode in the first place, which likely just requires allowing restorecon to fix it up, as is done for /dev as well. This does suggest however that a rootcontext= option to mount would be helpful. -- Stephen Smalley National Security Agency From cpebenito at tresys.com Fri Apr 21 13:15:41 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 21 Apr 2006 09:15:41 -0400 Subject: procmail In-Reply-To: <4448AD9E.1090909@city-fan.org> References: <443BCBFB.2050104@city-fan.org> <443FB650.1040309@redhat.com> <4445212A.2060708@city-fan.org> <4448AD9E.1090909@city-fan.org> Message-ID: <1145625342.18861.16.camel@sgc.columbia.tresys.com> On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote: > Paul Howarth wrote: > module procmail 0.1; > > require { [cut] > class dir { add_name getattr read remove_name search write }; > class file { append create execute execute_no_trans getattr ioctl lock read rename unlink write }; > class lnk_file read; > class process { noatsecure sigchld siginh transition rlimitinh }; > class fd { use }; > class fifo_file { getattr read write append ioctl lock }; [cut] > This does seem to work but surely there's a tidier way of handling those > class requirements? What am I missing? You want to use the "policy_module(procmail,0.1)" macro instead of the module statement at the top. It adds all of the kernel object classes, so you don't have to write them all out. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From paul at city-fan.org Fri Apr 21 13:24:55 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 21 Apr 2006 14:24:55 +0100 Subject: procmail In-Reply-To: <1145625342.18861.16.camel@sgc.columbia.tresys.com> References: <443BCBFB.2050104@city-fan.org> <443FB650.1040309@redhat.com> <4445212A.2060708@city-fan.org> <4448AD9E.1090909@city-fan.org> <1145625342.18861.16.camel@sgc.columbia.tresys.com> Message-ID: <4448DD27.90605@city-fan.org> Christopher J. PeBenito wrote: > On Fri, 2006-04-21 at 11:02 +0100, Paul Howarth wrote: >> Paul Howarth wrote: > >> module procmail 0.1; >> >> require { > [cut] >> class dir { add_name getattr read remove_name search write }; >> class file { append create execute execute_no_trans getattr ioctl lock read rename unlink write }; >> class lnk_file read; >> class process { noatsecure sigchld siginh transition rlimitinh }; >> class fd { use }; >> class fifo_file { getattr read write append ioctl lock }; > [cut] >> This does seem to work but surely there's a tidier way of handling those >> class requirements? What am I missing? > > You want to use the "policy_module(procmail,0.1)" macro instead of the > module statement at the top. It adds all of the kernel object classes, > so you don't have to write them all out. Thanks, that's much better: policy_module(procmail, 0.2) require { type procmail_t; type sbin_t; type var_log_t; }; # Needed for writing to /var/log/procmail.log allow procmail_t var_log_t:dir search; allow procmail_t var_log_t:file append; # ============================================== # Procmail needs to call sendmail for forwarding # ============================================== # This should be in selinux-policy-2.2.34-2 onwards # Read alternatives link allow procmail_t sbin_t:lnk_file read; # Allow transition to sendmail # (may need similar code for other MTAs that can replace sendmail) optional_policy(`sendmail',` sendmail_domtrans(procmail_t) ') Cheers, Paul. From i.pilcher at comcast.net Fri Apr 21 15:29:59 2006 From: i.pilcher at comcast.net (Ian Pilcher) Date: Fri, 21 Apr 2006 10:29:59 -0500 Subject: Another mount issue In-Reply-To: <1145605949.27071.16.camel@laurel.intra.city-fan.org> References: <1145605949.27071.16.camel@laurel.intra.city-fan.org> Message-ID: Paul Howarth wrote: > > Is this something that should be generally allowed or should I just > write local policy to fix this? > Methinks a boolean which loosens the restrictions on boot-time mounts might appropriate for now. -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From notting at redhat.com Fri Apr 21 16:37:50 2006 From: notting at redhat.com (Bill Nottingham) Date: Fri, 21 Apr 2006 12:37:50 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060421163750.GA14800@devserv.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > > OK, once doing this, I get: > > > > avc: denied { search } for pid=1688 comm="mount" name="/" dev=tmpfs ino=5444 > > scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:fs_t:s0 > > tclass=dir > > Ah, yes. tmpfs / fs_use_trans is a bit different; inodes are labeled > based on transition SID computed from allocating task SID and superblock > SID. > > > And, then, expectedly, after fixing that, restorecon can't getattr/read/etc > > fs_t. > > > > I seem to be stuck in a neverending cascade of AVCs. What's generally > > wrong here? > > > > The usage model is this: > > > > 1) mount a tmpfs under /var somewhere > > 2) take a predefined list of dirs and files, and for each one: > > a) copy it to that tmpfs > > b) bind mount it over its original location > > c) restrorecon @ the original location, to get the contexts right > > > > This shouldn't be *that* hard to get working with policy, should it? > > This is beginning to make me think that fs_use_trans behavior isn't > quite what it needs to be, or that we need an alternate (new) behavior > for tmpfs. tmpfs has always been a bit of a sore spot because of its > multiple uses for the kernel-internal shm mount, the userspace POSIX shm > mount, and any other arbitrary use. > > Possibly stupid question: Will files be created dynamically in these > tmpfs mounts at runtime? Yes. Consider pid files in /var/run, lock files in /var/lock, etc. > Do you expect them to follow the traditional > inherit-from-parent-directory behavior you get from ext3? Yes. Bill From sds at tycho.nsa.gov Fri Apr 21 16:50:09 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 21 Apr 2006 12:50:09 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060421163750.GA14800@devserv.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> <20060421163750.GA14800@devserv.devel.redhat.com> Message-ID: <1145638209.21749.182.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-21 at 12:37 -0400, Bill Nottingham wrote: > Yes. Consider pid files in /var/run, lock files in /var/lock, etc. > > > Do you expect them to follow the traditional > > inherit-from-parent-directory behavior you get from ext3? > > Yes. Yes, and that's ok. I think we just need to adjust policy to allow restorecon to fix the label on the root directory, and (on the separate issue of policy), we need a rw mount on /etc/selinux separate from the rest of root so that we can perform policy module operations. -- Stephen Smalley National Security Agency From notting at redhat.com Fri Apr 21 16:54:18 2006 From: notting at redhat.com (Bill Nottingham) Date: Fri, 21 Apr 2006 12:54:18 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <1145638209.21749.182.camel@moss-spartans.epoch.ncsc.mil> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> <20060421163750.GA14800@devserv.devel.redhat.com> <1145638209.21749.182.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060421165418.GB14800@devserv.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > > > Do you expect them to follow the traditional > > > inherit-from-parent-directory behavior you get from ext3? > > > > Yes. > > Yes, and that's ok. I think we just need to adjust policy to allow > restorecon to fix the label on the root directory, and (on the separate > issue of policy), OK. > we need a rw mount on /etc/selinux separate from the > rest of root so that we can perform policy module operations. I'm not as sure about this now that I understand how semodule is supposed to work. If you're running a read-only system, you shouldn't need to add or remove modules at runtime - that's something you do when preparing the image to run read-only. That only leaves listing modules, which I presume can be fixed to not need write access? Bill From sds at tycho.nsa.gov Fri Apr 21 17:08:52 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 21 Apr 2006 13:08:52 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060421165418.GB14800@devserv.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> <20060421163750.GA14800@devserv.devel.redhat.com> <1145638209.21749.182.camel@moss-spartans.epoch.ncsc.mil> <20060421165418.GB14800@devserv.devel.redhat.com> Message-ID: <1145639332.21749.193.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote: > Stephen Smalley (sds at tycho.nsa.gov) said: > > we need a rw mount on /etc/selinux separate from the > > rest of root so that we can perform policy module operations. > > I'm not as sure about this now that I understand how semodule > is supposed to work. If you're running a read-only system, > you shouldn't need to add or remove modules at runtime - that's > something you do when preparing the image to run read-only. That > only leaves listing modules, which I presume can be fixed to not > need write access? Likely, but we'd want to distinguish the ro mount case from a rw mount where the read lock acquisition fails for some other cause. Likely can just test for errno EROFS when semanage_get_active_lock() fails, and proceed with rdonly operations in that case? cc'd Tresys folks above. -- Stephen Smalley National Security Agency From jbrindle at tresys.com Fri Apr 21 18:05:51 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Fri, 21 Apr 2006 14:05:51 -0400 Subject: problems with tmpfs and relabeling Message-ID: <6FE441CD9F0C0C479F2D88F959B01588118BBC@exchange.columbia.tresys.com> > From: Stephen Smalley [mailto:sds at tycho.nsa.gov] > > On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote: > > Stephen Smalley (sds at tycho.nsa.gov) said: > > > we need a rw mount on /etc/selinux separate from the rest > of root so > > > that we can perform policy module operations. > > > > I'm not as sure about this now that I understand how semodule is > > supposed to work. If you're running a read-only system, you > shouldn't > > need to add or remove modules at runtime - that's something you do > > when preparing the image to run read-only. That only leaves listing > > modules, which I presume can be fixed to not need write access? > > Likely, but we'd want to distinguish the ro mount case from a > rw mount where the read lock acquisition fails for some other > cause. Likely can just test for errno EROFS when > semanage_get_active_lock() fails, and proceed with rdonly > operations in that case? cc'd Tresys folks above. Not sure about this, if the mount becomes rw in the middle of a EROFS read the policy can changed underneath them. I guess I'm unsure where this sudden push for ro filesystem support is coming from and why its important. Any kind of read only / system is going to have a highly abstracted interface. I have serious doubts that there would be any users running a bash shell and trying to get a list of modules. From notting at redhat.com Fri Apr 21 18:30:08 2006 From: notting at redhat.com (Bill Nottingham) Date: Fri, 21 Apr 2006 14:30:08 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <6FE441CD9F0C0C479F2D88F959B01588118BBC@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B01588118BBC@exchange.columbia.tresys.com> Message-ID: <20060421183007.GF14800@devserv.devel.redhat.com> Joshua Brindle (jbrindle at tresys.com) said: > > Likely, but we'd want to distinguish the ro mount case from a > > rw mount where the read lock acquisition fails for some other > > cause. Likely can just test for errno EROFS when > > semanage_get_active_lock() fails, and proceed with rdonly > > operations in that case? cc'd Tresys folks above. > > Not sure about this, if the mount becomes rw in the middle of a EROFS > read the policy can changed underneath them. Yes, but that tends to imply some fairly severe gun -> foot interactions on the part of the admin. > I guess I'm unsure where > this sudden push for ro filesystem support is coming from and why its > important. Any kind of read only / system is going to have a highly > abstracted interface. I have serious doubts that there would be any > users running a bash shell and trying to get a list of modules. http://fedoraproject.org/wiki/StatelessLinux Bill From jbrindle at tresys.com Fri Apr 21 18:47:10 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Fri, 21 Apr 2006 14:47:10 -0400 Subject: problems with tmpfs and relabeling Message-ID: <6FE441CD9F0C0C479F2D88F959B01588118BC4@exchange.columbia.tresys.com> > From: Bill Nottingham [mailto:notting at redhat.com] > > Joshua Brindle (jbrindle at tresys.com) said: > > > Likely, but we'd want to distinguish the ro mount case from a rw > > > mount where the read lock acquisition fails for some > other cause. > > > Likely can just test for errno EROFS when > > > semanage_get_active_lock() fails, and proceed with rdonly > operations > > > in that case? cc'd Tresys folks above. > > > > Not sure about this, if the mount becomes rw in the middle > of a EROFS > > read the policy can changed underneath them. > > Yes, but that tends to imply some fairly severe gun -> foot > interactions on the part of the admin. > The admin need not know what is going on, how many things happen on average linux systems without an average admins knowledge? > > I guess I'm unsure where > > this sudden push for ro filesystem support is coming from > and why its > > important. Any kind of read only / system is going to have a highly > > abstracted interface. I have serious doubts that there would be any > > users running a bash shell and trying to get a list of modules. > > http://fedoraproject.org/wiki/StatelessLinux > I retract the above statement. Even when making non-persistent boolean changes (which I can see happening on these systems) the lock is attempted. Its still unclear whether setsebool should fallback or if libsemanage should. I don't like the idea of lockless readers, even if the filesystem is RO when we start reading. I'm open to suggestions, the easiest thing to do in this case is propagate the EROFS error back up to setsebool to fall back but that doesn't address the other semodule/semanage operations, but I'm dubious as to whether those are useful at all on a setup like this. From notting at redhat.com Fri Apr 21 18:58:25 2006 From: notting at redhat.com (Bill Nottingham) Date: Fri, 21 Apr 2006 14:58:25 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <6FE441CD9F0C0C479F2D88F959B01588118BC4@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B01588118BC4@exchange.columbia.tresys.com> Message-ID: <20060421185825.GA27452@devserv.devel.redhat.com> Joshua Brindle (jbrindle at tresys.com) said: > > Yes, but that tends to imply some fairly severe gun -> foot > > interactions on the part of the admin. > > The admin need not know what is going on, how many things happen on > average linux systems without an average admins knowledge? Well, I'd hope that remounting the root FS read-write wouldn't be one of those. Arguably, you could even set up the policy to disallow this. > I retract the above statement. Even when making non-persistent boolean > changes (which I can see happening on these systems) the lock is > attempted. Its still unclear whether setsebool should fallback or if > libsemanage should. I don't like the idea of lockless readers, even if > the filesystem is RO when we start reading. Hm, I didn't consider booleans. How (at an implementation level) is setting of booleans done? (I've haven't looked at the backend guts of the SELinux code that much.) Bill From jbrindle at tresys.com Fri Apr 21 19:26:15 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Fri, 21 Apr 2006 15:26:15 -0400 Subject: problems with tmpfs and relabeling Message-ID: <6FE441CD9F0C0C479F2D88F959B01588118BD2@exchange.columbia.tresys.com> > From: Bill Nottingham [mailto:notting at redhat.com] > > Joshua Brindle (jbrindle at tresys.com) said: > > > Yes, but that tends to imply some fairly severe gun -> foot > > > interactions on the part of the admin. > > > > The admin need not know what is going on, how many things happen on > > average linux systems without an average admins knowledge? > > Well, I'd hope that remounting the root FS read-write > wouldn't be one of those. Arguably, you could even set up the > policy to disallow this. > > > I retract the above statement. Even when making > non-persistent boolean > > changes (which I can see happening on these systems) the lock is > > attempted. Its still unclear whether setsebool should > fallback or if > > libsemanage should. I don't like the idea of lockless > readers, even if > > the filesystem is RO when we start reading. > > Hm, I didn't consider booleans. How (at an implementation > level) is setting of booleans done? (I've haven't looked at > the backend guts of the SELinux code that much.) > In the non-persistent case it checks whether the store is managed and then does the libselinux calls to set the boolean so that actually won't be a problem. Also, Karl claims that lockf works on a RO filesystem so the actual problem is that we always open the lock file with O_RDRW | O_CREAT but we can change it to try a read only open first and if it isn't there try to create it and then bail after that. If the store has been properly initialized the lock files will be present, the O_RDONLY open will succeed and the lockf call will succeed and the query should work fine. This is a pretty trivial change, do you think it will work Steve? From felipe.alfaro at gmail.com Sat Apr 22 08:28:47 2006 From: felipe.alfaro at gmail.com (Felipe Alfaro Solana) Date: Sat, 22 Apr 2006 10:28:47 +0200 Subject: SELinux avcs in permissive mode Message-ID: <6f6293f10604220128o6af08fdem861119896da2935@mail.gmail.com> Hi, folks. I'm running Fedora Core Devel (RawHide) with SELinux enabled in permissive mode in a Xen domain 0. After booting into runlevel 3 I see these avcs: audit(1145694295.644:3): avc: denied { read write } for pid=1490 comm="xenstored" name="console" dev=tmpfs ino=812 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file audit(1145694295.788:4): avc: denied { read write } for pid=1493 comm="xenconsoled" name="console" dev=tmpfs ino=812 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file audit(1145694299.076:5): SELinux: unrecognized netlink message type=28265 for sclass=43 audit(1145694302.696:8): avc: denied { read write } for pid=1621 comm="mingetty" name="utmp" dev=dm-0 ino=1310727 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file audit(1145694302.696:9): avc: denied { lock } for pid=1621 comm="mingetty" name="utmp" dev=dm-0 ino=1310727 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file Any comments on this? Thanks! From dragoran at feuerpokemon.de Sun Apr 23 08:47:24 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Sun, 23 Apr 2006 10:47:24 +0200 Subject: selinux breaks nfs Message-ID: <444B3F1C.2030608@feuerpokemon.de> hello I tryed to share a partition using nfs (using system-config-nfs), but selinux prevents it from beeing mounted: audit(1145781795.498:64): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:65): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:66): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:67): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:68): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:69): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:70): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:71): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability All boleans for nfs are set to true, if I do setenforce 0 it works. I am using selinux-policy-targeted-2.2.34-3.fc5 (from updates testing) on FC x86_64. From ejtr at layer3.co.uk Sun Apr 23 10:24:55 2006 From: ejtr at layer3.co.uk (Ted Rule) Date: Sun, 23 Apr 2006 11:24:55 +0100 Subject: Firefox/Flash printing Message-ID: <1145787895.4308.25.camel@topaz.bugfinder.co.uk> On my - admittedly FC4 - system, I've had a problem recently printing from various Flash pages on certain websites. This is with the combination of: Flash 7.0.63 Firefox 1.0.8 selinux-policy-strict-1.27.1-2.27 An example of the problem is to be found here ( build the jigsaw an print it out): http://www.bbc.co.uk/cbeebies/funandgames/jigsaw.shtml ( Yes, fixing the problem was prompted by my desire not to let 4-year olds have to know how to temporarily set SELinux to permissive just so as to print out their games results! ) After some burrowing around with policy tweaks and enableaudit, the minimum extra policy I had to allow was this: allow user_mozilla_t cupsd_t:dir { getattr search }; allow user_mozilla_t cupsd_t:file { read }; ( i.e. let mozilla plugins read /proc/xxx for the cups daemon process ) With enableaudit in place, it seems that the Flash plugin seems to invoke a very verbose call to "ps". This, in turn, leads to lots of denial messages as SELinux stops the plugin from seeing /proc/xxx for all the system processes. The fixup seems to be to allow Flash to read status and cmdline for the cupsd process itself; once it has found that process, the existing print/lpr permissions for user_mozilla_t seem to be enough to allow it to proceed. This still leaves a flood of denial messages, but at least the printer works. My suspicion is that the plugin decodes the output of something like "ps axww" to determine the flavour of the local print server. Since the plugin is probably designed to run on a number of platforms, it presumably has to dynamically probe for the print processor type. Given what I see, it would not surprise me that this behaviour exists in some sort of generic print-API within Flash, and hence the problem may be reasonably widespread on "Flashy" websites. Can anyone confirm/deny whether this permission exists in the FC5 strict and/or targeted policies? Sample enableaudit trace of a print Job invocation - with my patch set to auditallow: Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2567): avc: denied { getattr } for pid=4883 comm="ps" name="1" dev=proc ino=65538 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:init_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2568): avc: denied { getattr } for pid=4883 comm="ps" name="2" dev=proc ino=131074 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2569): avc: denied { getattr } for pid=4883 comm="ps" name="3" dev=proc ino=196610 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2570): avc: denied { getattr } for pid=4883 comm="ps" name="4" dev=proc ino=262146 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2571): avc: denied { getattr } for pid=4883 comm="ps" name="5" dev=proc ino=327682 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2572): avc: denied { getattr } for pid=4883 comm="ps" name="9" dev=proc ino=589826 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2573): avc: denied { getattr } for pid=4883 comm="ps" name="10" dev=proc ino=655362 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2574): avc: denied { getattr } for pid=4883 comm="ps" name="242" dev=proc ino=15859714 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2575): avc: denied { getattr } for pid=4883 comm="ps" name="296" dev=proc ino=19398658 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2576): avc: denied { getattr } for pid=4883 comm="ps" name="297" dev=proc ino=19464194 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2577): avc: denied { getattr } for pid=4883 comm="ps" name="299" dev=proc ino=19595266 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2578): avc: denied { getattr } for pid=4883 comm="ps" name="298" dev=proc ino=19529730 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.469:2579): avc: denied { getattr } for pid=4883 comm="ps" name="386" dev=proc ino=25296898 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2580): avc: denied { getattr } for pid=4883 comm="ps" name="466" dev=proc ino=30539778 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2581): avc: denied { getattr } for pid=4883 comm="ps" name="485" dev=proc ino=31784962 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2582): avc: denied { getattr } for pid=4883 comm="ps" name="539" dev=proc ino=35323906 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2583): avc: denied { getattr } for pid=4883 comm="ps" name="681" dev=proc ino=44630018 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:udev_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2584): avc: denied { getattr } for pid=4883 comm="ps" name="1212" dev=proc ino=79429634 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2585): avc: denied { getattr } for pid=4883 comm="ps" name="1213" dev=proc ino=79495170 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2586): avc: denied { getattr } for pid=4883 comm="ps" name="1655" dev=proc ino=108462082 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2587): avc: denied { getattr } for pid=4883 comm="ps" name="1658" dev=proc ino=108658690 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2588): avc: denied { getattr } for pid=4883 comm="ps" name="1661" dev=proc ino=108855298 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2589): avc: denied { getattr } for pid=4883 comm="ps" name="1664" dev=proc ino=109051906 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2590): avc: denied { getattr } for pid=4883 comm="ps" name="1667" dev=proc ino=109248514 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2591): avc: denied { getattr } for pid=4883 comm="ps" name="2103" dev=proc ino=137822210 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:syslogd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2592): avc: denied { getattr } for pid=4883 comm="ps" name="2239" dev=proc ino=146735106 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:automount_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2593): avc: denied { getattr } for pid=4883 comm="ps" name="2253" dev=proc ino=147652610 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:fsdaemon_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2594): avc: denied { getattr } for pid=4883 comm="ps" name="2261" dev=proc ino=148176898 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:apmd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2595): avc: denied { getattr } for pid=4883 comm="ps" name="2269" dev=proc ino=148701186 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hplip_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2596): avc: denied { getattr } for pid=4883 comm="ps" name="2273" dev=proc ino=148963330 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hplip_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2597): avc: granted { getattr } for pid=4883 comm="ps" name="2284" dev=proc ino=149684226 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2598): avc: granted { search } for pid=4883 comm="ps" name="2284" dev=proc ino=149684226 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2599): avc: granted { read } for pid=4883 comm="ps" name="stat" dev=proc ino=149684237 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.473:2600): avc: granted { read } for pid=4883 comm="ps" name="stat" dev=proc ino=149684237 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2601): avc: granted { search } for pid=4883 comm="ps" name="2284" dev=proc ino=149684226 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2602): avc: granted { read } for pid=4883 comm="ps" name="status" dev=proc ino=149684228 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2603): avc: granted { read } for pid=4883 comm="ps" name="status" dev=proc ino=149684228 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2604): avc: granted { search } for pid=4883 comm="ps" name="2284" dev=proc ino=149684226 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2605): avc: granted { read } for pid=4883 comm="ps" name="cmdline" dev=proc ino=149684236 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2606): avc: granted { read } for pid=4883 comm="ps" name="cmdline" dev=proc ino=149684236 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2607): avc: denied { getattr } for pid=4883 comm="ps" name="2341" dev=proc ino=153419778 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:ntpd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2608): avc: denied { getattr } for pid=4883 comm="ps" name="2363" dev=proc ino=154861570 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:sendmail_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2609): avc: denied { getattr } for pid=4883 comm="ps" name="2369" dev=proc ino=155254786 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:sendmail_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2610): avc: denied { getattr } for pid=4883 comm="ps" name="2379" dev=proc ino=155910146 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:sendmail_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2611): avc: denied { getattr } for pid=4883 comm="ps" name="2390" dev=proc ino=156631042 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:spamd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2612): avc: denied { getattr } for pid=4883 comm="ps" name="2399" dev=proc ino=157220866 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:gpm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2613): avc: denied { getattr } for pid=4883 comm="ps" name="2407" dev=proc ino=157745154 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2614): avc: denied { getattr } for pid=4883 comm="ps" name="2419" dev=proc ino=158531586 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:spamd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2615): avc: denied { getattr } for pid=4883 comm="ps" name="2420" dev=proc ino=158597122 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:spamd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2616): avc: denied { getattr } for pid=4883 comm="ps" name="2421" dev=proc ino=158662658 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:spamd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.477:2617): avc: denied { getattr } for pid=4883 comm="ps" name="2422" dev=proc ino=158728194 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:spamd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2618): avc: denied { getattr } for pid=4883 comm="ps" name="2423" dev=proc ino=158793730 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:spamd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2619): avc: denied { getattr } for pid=4883 comm="ps" name="2441" dev=proc ino=159973378 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:xfs_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2620): avc: denied { getattr } for pid=4883 comm="ps" name="2449" dev=proc ino=160497666 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:smbd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2621): avc: denied { getattr } for pid=4883 comm="ps" name="2451" dev=proc ino=160628738 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:smbd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2622): avc: denied { getattr } for pid=4883 comm="ps" name="2452" dev=proc ino=160694274 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:nmbd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2623): avc: denied { getattr } for pid=4883 comm="ps" name="2468" dev=proc ino=161742850 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2624): avc: denied { getattr } for pid=4883 comm="ps" name="2484" dev=proc ino=162791426 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:system_dbusd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2625): avc: denied { getattr } for pid=4883 comm="ps" name="2496" dev=proc ino=163577858 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:cupsd_config_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2626): avc: denied { getattr } for pid=4883 comm="ps" name="2505" dev=proc ino=164167682 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hald_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2627): avc: denied { getattr } for pid=4883 comm="ps" name="2510" dev=proc ino=164495362 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hald_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2628): avc: denied { getattr } for pid=4883 comm="ps" name="2518" dev=proc ino=165019650 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hald_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2629): avc: denied { getattr } for pid=4883 comm="ps" name="2520" dev=proc ino=165150722 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hald_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2630): avc: denied { getattr } for pid=4883 comm="ps" name="2526" dev=proc ino=165543938 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hald_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2631): avc: denied { getattr } for pid=4883 comm="ps" name="2538" dev=proc ino=166330370 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2632): avc: denied { getattr } for pid=4883 comm="ps" name="2542" dev=proc ino=166592514 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:hald_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2633): avc: denied { getattr } for pid=4883 comm="ps" name="2581" dev=proc ino=169148418 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:mdadm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2634): avc: denied { getattr } for pid=4883 comm="ps" name="2588" dev=proc ino=169607170 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:getty_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2635): avc: denied { getattr } for pid=4883 comm="ps" name="2589" dev=proc ino=169672706 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:getty_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2636): avc: denied { getattr } for pid=4883 comm="ps" name="2590" dev=proc ino=169738242 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:getty_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2637): avc: denied { getattr } for pid=4883 comm="ps" name="2591" dev=proc ino=169803778 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:getty_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.481:2638): avc: denied { getattr } for pid=4883 comm="ps" name="2592" dev=proc ino=169869314 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:getty_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2639): avc: denied { getattr } for pid=4883 comm="ps" name="2593" dev=proc ino=169934850 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:getty_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2640): avc: denied { getattr } for pid=4883 comm="ps" name="2594" dev=proc ino=170000386 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2641): avc: denied { getattr } for pid=4883 comm="ps" name="2798" dev=proc ino=183369730 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:xdm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2642): avc: denied { getattr } for pid=4883 comm="ps" name="2855" dev=proc ino=187105282 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:xdm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2643): avc: denied { getattr } for pid=4883 comm="ps" name="2865" dev=proc ino=187760642 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:xdm_xserver_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2644): avc: denied { getattr } for pid=4883 comm="ps" name="3721" dev=proc ino=243859458 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2645): avc: denied { getattr } for pid=4883 comm="ps" name="3723" dev=proc ino=243990530 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2646): avc: denied { getattr } for pid=4883 comm="ps" name="3724" dev=proc ino=244056066 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2647): avc: denied { getattr } for pid=4883 comm="ps" name="3726" dev=proc ino=244187138 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2648): avc: denied { getattr } for pid=4883 comm="ps" name="3727" dev=proc ino=244252674 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2649): avc: denied { getattr } for pid=4883 comm="ps" name="3728" dev=proc ino=244318210 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2650): avc: denied { getattr } for pid=4883 comm="ps" name="3729" dev=proc ino=244383746 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2651): avc: denied { getattr } for pid=4883 comm="ps" name="3730" dev=proc ino=244449282 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2652): avc: denied { getattr } for pid=4883 comm="ps" name="3731" dev=proc ino=244514818 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2653): avc: denied { getattr } for pid=4883 comm="ps" name="3754" dev=proc ino=246022146 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2654): avc: denied { getattr } for pid=4883 comm="ps" name="3756" dev=proc ino=246153218 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2655): avc: denied { getattr } for pid=4883 comm="ps" name="3760" dev=proc ino=246415362 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2656): avc: denied { getattr } for pid=4883 comm="ps" name="3761" dev=proc ino=246480898 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2657): avc: denied { getattr } for pid=4883 comm="ps" name="3763" dev=proc ino=246611970 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2658): avc: denied { getattr } for pid=4883 comm="ps" name="3764" dev=proc ino=246677506 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2659): avc: denied { getattr } for pid=4883 comm="ps" name="3765" dev=proc ino=246743042 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.485:2660): avc: denied { getattr } for pid=4883 comm="ps" name="3767" dev=proc ino=246874114 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2661): avc: denied { getattr } for pid=4883 comm="ps" name="3768" dev=proc ino=246939650 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2662): avc: denied { getattr } for pid=4883 comm="ps" name="3769" dev=proc ino=247005186 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2663): avc: denied { getattr } for pid=4883 comm="ps" name="3770" dev=proc ino=247070722 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2664): avc: denied { getattr } for pid=4883 comm="ps" name="3772" dev=proc ino=247201794 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2665): avc: denied { getattr } for pid=4883 comm="ps" name="3773" dev=proc ino=247267330 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2666): avc: denied { getattr } for pid=4883 comm="ps" name="3797" dev=proc ino=248840194 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2667): avc: denied { getattr } for pid=4883 comm="ps" name="3799" dev=proc ino=248971266 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2668): avc: denied { getattr } for pid=4883 comm="ps" name="3800" dev=proc ino=249036802 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2669): avc: denied { getattr } for pid=4883 comm="ps" name="3802" dev=proc ino=249167874 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2670): avc: denied { getattr } for pid=4883 comm="ps" name="3803" dev=proc ino=249233410 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2671): avc: denied { getattr } for pid=4883 comm="ps" name="3804" dev=proc ino=249298946 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2672): avc: denied { getattr } for pid=4883 comm="ps" name="3805" dev=proc ino=249364482 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2673): avc: denied { getattr } for pid=4883 comm="ps" name="3806" dev=proc ino=249430018 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2674): avc: denied { getattr } for pid=4883 comm="ps" name="3807" dev=proc ino=249495554 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2675): avc: denied { getattr } for pid=4883 comm="ps" name="3833" dev=proc ino=251199490 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2676): avc: denied { getattr } for pid=4883 comm="ps" name="3835" dev=proc ino=251330562 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2677): avc: denied { getattr } for pid=4883 comm="ps" name="3836" dev=proc ino=251396098 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2678): avc: denied { getattr } for pid=4883 comm="ps" name="3838" dev=proc ino=251527170 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.489:2679): avc: denied { getattr } for pid=4883 comm="ps" name="3839" dev=proc ino=251592706 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2680): avc: denied { getattr } for pid=4883 comm="ps" name="3840" dev=proc ino=251658242 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2681): avc: denied { getattr } for pid=4883 comm="ps" name="3841" dev=proc ino=251723778 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2682): avc: denied { getattr } for pid=4883 comm="ps" name="3842" dev=proc ino=251789314 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2683): avc: denied { getattr } for pid=4883 comm="ps" name="3843" dev=proc ino=251854850 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2684): avc: denied { getattr } for pid=4883 comm="ps" name="3866" dev=proc ino=253362178 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2685): avc: denied { getattr } for pid=4883 comm="ps" name="3868" dev=proc ino=253493250 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2686): avc: denied { getattr } for pid=4883 comm="ps" name="3869" dev=proc ino=253558786 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2687): avc: denied { getattr } for pid=4883 comm="ps" name="3871" dev=proc ino=253689858 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2688): avc: denied { getattr } for pid=4883 comm="ps" name="3872" dev=proc ino=253755394 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2689): avc: denied { getattr } for pid=4883 comm="ps" name="3873" dev=proc ino=253820930 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2690): avc: denied { getattr } for pid=4883 comm="ps" name="3874" dev=proc ino=253886466 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2691): avc: denied { getattr } for pid=4883 comm="ps" name="3875" dev=proc ino=253952002 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2692): avc: denied { getattr } for pid=4883 comm="ps" name="3876" dev=proc ino=254017538 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2693): avc: denied { getattr } for pid=4883 comm="ps" name="3900" dev=proc ino=255590402 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2694): avc: denied { getattr } for pid=4883 comm="ps" name="3902" dev=proc ino=255721474 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2695): avc: denied { getattr } for pid=4883 comm="ps" name="3903" dev=proc ino=255787010 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2696): avc: denied { getattr } for pid=4883 comm="ps" name="3905" dev=proc ino=255918082 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2697): avc: denied { getattr } for pid=4883 comm="ps" name="3906" dev=proc ino=255983618 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2698): avc: denied { getattr } for pid=4883 comm="ps" name="3907" dev=proc ino=256049154 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2699): avc: denied { getattr } for pid=4883 comm="ps" name="3908" dev=proc ino=256114690 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.493:2700): avc: denied { getattr } for pid=4883 comm="ps" name="3911" dev=proc ino=256311298 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2701): avc: denied { getattr } for pid=4883 comm="ps" name="3912" dev=proc ino=256376834 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2702): avc: denied { getattr } for pid=4883 comm="ps" name="3934" dev=proc ino=257818626 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2703): avc: denied { getattr } for pid=4883 comm="ps" name="3936" dev=proc ino=257949698 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2704): avc: denied { getattr } for pid=4883 comm="ps" name="3937" dev=proc ino=258015234 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2705): avc: denied { getattr } for pid=4883 comm="ps" name="3939" dev=proc ino=258146306 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2706): avc: denied { getattr } for pid=4883 comm="ps" name="3940" dev=proc ino=258211842 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2707): avc: denied { getattr } for pid=4883 comm="ps" name="3941" dev=proc ino=258277378 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2708): avc: denied { getattr } for pid=4883 comm="ps" name="3942" dev=proc ino=258342914 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2709): avc: denied { getattr } for pid=4883 comm="ps" name="3943" dev=proc ino=258408450 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2710): avc: denied { getattr } for pid=4883 comm="ps" name="3944" dev=proc ino=258473986 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2711): avc: denied { getattr } for pid=4883 comm="ps" name="3958" dev=proc ino=259391490 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2712): avc: denied { getattr } for pid=4883 comm="ps" name="4028" dev=proc ino=263979010 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_ssh_agent_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2713): avc: denied { getattr } for pid=4883 comm="ps" name="4031" dev=proc ino=264175618 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_dbusd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2714): avc: denied { getattr } for pid=4883 comm="ps" name="4032" dev=proc ino=264241154 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2715): avc: denied { getattr } for pid=4883 comm="ps" name="4039" dev=proc ino=264699906 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_gconfd_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2716): avc: denied { getattr } for pid=4883 comm="ps" name="4044" dev=proc ino=265027586 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2717): avc: denied { getattr } for pid=4883 comm="ps" name="4046" dev=proc ino=265158658 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_bonobo_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2718): avc: denied { getattr } for pid=4883 comm="ps" name="4048" dev=proc ino=265289730 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2719): avc: denied { getattr } for pid=4883 comm="ps" name="4050" dev=proc ino=265420802 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2720): avc: denied { getattr } for pid=4883 comm="ps" name="4052" dev=proc ino=265551874 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2721): avc: denied { getattr } for pid=4883 comm="ps" name="4054" dev=proc ino=265682946 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.497:2722): avc: denied { getattr } for pid=4883 comm="ps" name="4056" dev=proc ino=265814018 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2723): avc: denied { getattr } for pid=4883 comm="ps" name="4072" dev=proc ino=266862594 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2724): avc: denied { getattr } for pid=4883 comm="ps" name="4080" dev=proc ino=267386882 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2725): avc: denied { getattr } for pid=4883 comm="ps" name="4086" dev=proc ino=267780098 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2726): avc: denied { getattr } for pid=4883 comm="ps" name="4090" dev=proc ino=268042242 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2727): avc: denied { getattr } for pid=4883 comm="ps" name="4092" dev=proc ino=268173314 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2728): avc: denied { getattr } for pid=4883 comm="ps" name="4094" dev=proc ino=268304386 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2729): avc: denied { getattr } for pid=4883 comm="ps" name="4098" dev=proc ino=268566530 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2730): avc: denied { getattr } for pid=4883 comm="ps" name="4100" dev=proc ino=268697602 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_evolution_alarm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2731): avc: denied { getattr } for pid=4883 comm="ps" name="4103" dev=proc ino=268894210 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_gnome_vfs_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2732): avc: denied { getattr } for pid=4883 comm="ps" name="4115" dev=proc ino=269680642 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2733): avc: denied { getattr } for pid=4883 comm="ps" name="4121" dev=proc ino=270073858 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2734): avc: denied { getattr } for pid=4883 comm="ps" name="4124" dev=proc ino=270270466 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2735): avc: denied { getattr } for pid=4883 comm="ps" name="4130" dev=proc ino=270663682 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:pam_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2736): avc: denied { getattr } for pid=4883 comm="ps" name="4147" dev=proc ino=271777794 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_evolution_server_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2737): avc: denied { getattr } for pid=4883 comm="ps" name="4178" dev=proc ino=273809410 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_gph_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.501:2738): avc: denied { getattr } for pid=4883 comm="ps" name="4179" dev=proc ino=273874946 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2739): avc: denied { getattr } for pid=4883 comm="ps" name="4195" dev=proc ino=274923522 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2740): avc: denied { getattr } for pid=4883 comm="ps" name="4308" dev=proc ino=282329090 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_evolution_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2741): avc: denied { getattr } for pid=4883 comm="ps" name="4341" dev=proc ino=284491778 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2742): avc: denied { getattr } for pid=4883 comm="ps" name="4342" dev=proc ino=284557314 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2743): avc: denied { getattr } for pid=4883 comm="ps" name="4345" dev=proc ino=284753922 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2744): avc: denied { getattr } for pid=4883 comm="ps" name="4346" dev=proc ino=284819458 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2745): avc: denied { getattr } for pid=4883 comm="ps" name="4347" dev=proc ino=284884994 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2746): avc: denied { getattr } for pid=4883 comm="ps" name="4348" dev=proc ino=284950530 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2747): avc: denied { getattr } for pid=4883 comm="ps" name="4350" dev=proc ino=285081602 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2748): avc: denied { getattr } for pid=4883 comm="ps" name="4351" dev=proc ino=285147138 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2749): avc: denied { getattr } for pid=4883 comm="ps" name="4352" dev=proc ino=285212674 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2750): avc: denied { getattr } for pid=4883 comm="ps" name="4353" dev=proc ino=285278210 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2751): avc: denied { getattr } for pid=4883 comm="ps" name="4354" dev=proc ino=285343746 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2752): avc: denied { getattr } for pid=4883 comm="ps" name="4355" dev=proc ino=285409282 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2753): avc: denied { getattr } for pid=4883 comm="ps" name="4357" dev=proc ino=285540354 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.505:2754): avc: denied { getattr } for pid=4883 comm="ps" name="4414" dev=proc ino=289275906 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_ssh_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2755): avc: denied { getattr } for pid=4883 comm="ps" name="4426" dev=proc ino=290062338 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2756): avc: denied { getattr } for pid=4883 comm="ps" name="4428" dev=proc ino=290193410 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2757): avc: denied { getattr } for pid=4883 comm="ps" name="4429" dev=proc ino=290258946 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2758): avc: denied { getattr } for pid=4883 comm="ps" name="4431" dev=proc ino=290390018 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2759): avc: denied { getattr } for pid=4883 comm="ps" name="4432" dev=proc ino=290455554 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2760): avc: denied { getattr } for pid=4883 comm="ps" name="4433" dev=proc ino=290521090 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2761): avc: denied { getattr } for pid=4883 comm="ps" name="4434" dev=proc ino=290586626 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2762): avc: denied { getattr } for pid=4883 comm="ps" name="4435" dev=proc ino=290652162 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2763): avc: denied { getattr } for pid=4883 comm="ps" name="4436" dev=proc ino=290717698 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2764): avc: denied { getattr } for pid=4883 comm="ps" name="4532" dev=proc ino=297009154 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2765): avc: denied { getattr } for pid=4883 comm="ps" name="4534" dev=proc ino=297140226 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2766): avc: denied { getattr } for pid=4883 comm="ps" name="4535" dev=proc ino=297205762 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2767): avc: denied { getattr } for pid=4883 comm="ps" name="4537" dev=proc ino=297336834 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2768): avc: denied { getattr } for pid=4883 comm="ps" name="4538" dev=proc ino=297402370 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2769): avc: denied { getattr } for pid=4883 comm="ps" name="4539" dev=proc ino=297467906 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2770): avc: denied { getattr } for pid=4883 comm="ps" name="4540" dev=proc ino=297533442 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2771): avc: denied { getattr } for pid=4883 comm="ps" name="4543" dev=proc ino=297730050 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2772): avc: denied { getattr } for pid=4883 comm="ps" name="4544" dev=proc ino=297795586 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2773): avc: denied { getattr } for pid=4883 comm="ps" name="4591" dev=proc ino=300875778 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2774): avc: denied { getattr } for pid=4883 comm="ps" name="4593" dev=proc ino=301006850 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2775): avc: denied { getattr } for pid=4883 comm="ps" name="4594" dev=proc ino=301072386 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.509:2776): avc: denied { getattr } for pid=4883 comm="ps" name="4596" dev=proc ino=301203458 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2777): avc: denied { getattr } for pid=4883 comm="ps" name="4597" dev=proc ino=301268994 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2778): avc: denied { getattr } for pid=4883 comm="ps" name="4598" dev=proc ino=301334530 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2779): avc: denied { getattr } for pid=4883 comm="ps" name="4599" dev=proc ino=301400066 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2780): avc: denied { getattr } for pid=4883 comm="ps" name="4600" dev=proc ino=301465602 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2781): avc: denied { getattr } for pid=4883 comm="ps" name="4601" dev=proc ino=301531138 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2782): avc: denied { getattr } for pid=4883 comm="ps" name="4641" dev=proc ino=304152578 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2783): avc: denied { getattr } for pid=4883 comm="ps" name="4645" dev=proc ino=304414722 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2784): avc: denied { getattr } for pid=4883 comm="ps" name="4646" dev=proc ino=304480258 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2785): avc: denied { getattr } for pid=4883 comm="ps" name="4648" dev=proc ino=304611330 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2786): avc: denied { getattr } for pid=4883 comm="ps" name="4649" dev=proc ino=304676866 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2787): avc: denied { getattr } for pid=4883 comm="ps" name="4650" dev=proc ino=304742402 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2788): avc: denied { getattr } for pid=4883 comm="ps" name="4651" dev=proc ino=304807938 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2789): avc: denied { getattr } for pid=4883 comm="ps" name="4653" dev=proc ino=304939010 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2790): avc: denied { getattr } for pid=4883 comm="ps" name="4654" dev=proc ino=305004546 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2791): avc: denied { getattr } for pid=4883 comm="ps" name="4682" dev=proc ino=306839554 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_su_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2792): avc: denied { getattr } for pid=4883 comm="ps" name="4687" dev=proc ino=307167234 scontext=user_u:user_r:user_mozilla_t tcontext=root:sysadm_r:sysadm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2793): avc: denied { getattr } for pid=4883 comm="ps" name="4733" dev=proc ino=310181890 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2794): avc: denied { getattr } for pid=4883 comm="ps" name="4786" dev=proc ino=313655298 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:system_r:crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2795): avc: denied { getattr } for pid=4883 comm="ps" name="4788" dev=proc ino=313786370 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.513:2796): avc: denied { getattr } for pid=4883 comm="ps" name="4789" dev=proc ino=313851906 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2797): avc: denied { getattr } for pid=4883 comm="ps" name="4791" dev=proc ino=313982978 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2798): avc: denied { getattr } for pid=4883 comm="ps" name="4792" dev=proc ino=314048514 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2799): avc: denied { getattr } for pid=4883 comm="ps" name="4793" dev=proc ino=314114050 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2800): avc: denied { getattr } for pid=4883 comm="ps" name="4794" dev=proc ino=314179586 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2801): avc: denied { getattr } for pid=4883 comm="ps" name="4795" dev=proc ino=314245122 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2802): avc: denied { getattr } for pid=4883 comm="ps" name="4796" dev=proc ino=314310658 scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_crond_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2803): avc: denied { getattr } for pid=4883 comm="ps" name="4800" dev=proc ino=314572802 scontext=user_u:user_r:user_mozilla_t tcontext=root:sysadm_r:sysadm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.517:2804): avc: denied { getattr } for pid=4883 comm="ps" name="4801" dev=proc ino=314638338 scontext=user_u:user_r:user_mozilla_t tcontext=root:sysadm_r:sysadm_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2807): avc: denied { read write } for pid=4881 comm="lpr" name="_CACHE_MAP_" dev=hda8 ino=727273 scontext=user_u:user_r:user_lpr_t tcontext=user_u:object_r:user_mozilla_home_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2808): avc: denied { read write } for pid=4881 comm="lpr" name="history.dat" dev=hda8 ino=323465 scontext=user_u:user_r:user_lpr_t tcontext=user_u:object_r:user_mozilla_home_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2809): avc: denied { read write } for pid=4881 comm="lpr" name="_CACHE_001_" dev=hda8 ino=727274 scontext=user_u:user_r:user_lpr_t tcontext=user_u:object_r:user_mozilla_home_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2810): avc: denied { read write } for pid=4881 comm="lpr" name="_CACHE_002_" dev=hda8 ino=727275 scontext=user_u:user_r:user_lpr_t tcontext=user_u:object_r:user_mozilla_home_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2811): avc: denied { read write } for pid=4881 comm="lpr" name="_CACHE_003_" dev=hda8 ino=727276 scontext=user_u:user_r:user_lpr_t tcontext=user_u:object_r:user_mozilla_home_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2812): avc: denied { read write } for pid=4881 comm="lpr" name="mixer" dev=tmpfs ino=4206 scontext=user_u:user_r:user_lpr_t tcontext=system_u:object_r:sound_device_t tclass=chr_file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2813): avc: denied { read } for pid=4881 comm="lpr" name="XUL.mfasl" dev=hda8 ino=323401 scontext=user_u:user_r:user_lpr_t tcontext=user_u:object_r:user_mozilla_home_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2814): avc: denied { read write } for pid=4881 comm="lpr" name="7A1B3157d01" dev=hda8 ino=727747 scontext=user_u:user_r:user_lpr_t tcontext=user_u:object_r:user_mozilla_home_t tclass=file Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2815): avc: denied { read write } for pid=4881 comm="lpr" name="[14195]" dev=sockfs ino=14195 scontext=user_u:user_r:user_lpr_t tcontext=user_u:user_r:user_mozilla_t tclass=unix_stream_socket Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2816): avc: denied { read write } for pid=4881 comm="lpr" name="[14197]" dev=sockfs ino=14197 scontext=user_u:user_r:user_lpr_t tcontext=user_u:user_r:user_mozilla_t tclass=unix_stream_socket Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2817): avc: denied { siginh } for pid=4881 comm="lpr" scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_lpr_t tclass=process Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2818): avc: denied { rlimitinh } for pid=4881 comm="lpr" scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_lpr_t tclass=process Apr 23 10:57:26 workstation kernel: audit(1145786246.549:2819): avc: denied { noatsecure } for pid=4881 comm="lpr" scontext=user_u:user_r:user_mozilla_t tcontext=user_u:user_r:user_lpr_t tclass=process Apr 23 10:57:26 workstation kernel: audit(1145786246.557:2820): avc: denied { search } for pid=4881 comm="lpr" name="nscd" dev=hda7 ino=258574 scontext=user_u:user_r:user_lpr_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:26 workstation kernel: audit(1145786246.561:2821): avc: denied { search } for pid=4881 comm="lpr" name="nscd" dev=hda7 ino=258574 scontext=user_u:user_r:user_lpr_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:28 workstation kernel: audit(1145786247.997:2822): avc: denied { search } for pid=4881 comm="lpr" name="nscd" dev=hda7 ino=258574 scontext=user_u:user_r:user_lpr_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:28 workstation kernel: audit(1145786247.997:2823): avc: denied { search } for pid=4881 comm="lpr" name="nscd" dev=hda7 ino=258574 scontext=user_u:user_r:user_lpr_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:32 workstation kernel: audit(1145786252.002:2824): avc: denied { search } for pid=4893 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:32 workstation kernel: audit(1145786252.006:2825): avc: denied { search } for pid=4893 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:32 workstation kernel: audit(1145786252.070:2826): avc: denied { search } for pid=4893 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:32 workstation kernel: audit(1145786252.070:2827): avc: denied { search } for pid=4893 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:34 workstation kernel: audit(1145786254.714:2828): avc: denied { search } for pid=4896 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:34 workstation kernel: audit(1145786254.714:2829): avc: denied { search } for pid=4896 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:34 workstation kernel: audit(1145786254.730:2830): avc: denied { search } for pid=4898 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:34 workstation kernel: audit(1145786254.730:2831): avc: denied { search } for pid=4898 comm="sh" name="nscd" dev=hda7 ino=258574 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 23 10:57:42 workstation kernel: audit(1145786262.103:2832): avc: denied { name_connect } for pid=4199 comm="firefox-bin" dest=5000 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:port_t tclass=tcp_socket -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From rhally at mindspring.com Sun Apr 23 14:51:58 2006 From: rhally at mindspring.com (Richard Hally) Date: Sun, 23 Apr 2006 10:51:58 -0400 Subject: update changes to disabled Message-ID: <444B948E.2050806@mindspring.com> Updating from selinux-policy-targeted-2.2.34-2 to the latest 2.2.34-3 changes the /etc/selinux/config from SELINUX=enforcing to disabled. Is this intentional? Richard Hally From selinux at gmail.com Sun Apr 23 18:25:16 2006 From: selinux at gmail.com (Tom London) Date: Sun, 23 Apr 2006 11:25:16 -0700 Subject: SELINUX=disabled in latest rawhide? Message-ID: <4c4ba1530604231125p3ba303f4r62b744c3432c41c5@mail.gmail.com> Running latest rawhide, targeted/enforcing (selinux-policy-targeted-2.2.34-3): After installing lastest rawhide packages today, on reboot, I noticed: Apr 23 10:44:36 localhost kernel: SELinux: Disabled at runtime. Apr 23 10:44:36 localhost kernel: SELinux: Unregistering netfilter hooks Checking /etc/selinux/config, SELINUX was set to disabled. I reset SELINUX to enforcing, rebooted in permissive to single, but the reboot automagically detected a relabel was needed. It succeeded and enforcing reboot works just fine. tom -- Tom London From rhally at mindspring.com Sun Apr 23 19:35:07 2006 From: rhally at mindspring.com (Richard Hally) Date: Sun, 23 Apr 2006 15:35:07 -0400 Subject: SELINUX=disabled in latest rawhide? In-Reply-To: <4c4ba1530604231125p3ba303f4r62b744c3432c41c5@mail.gmail.com> References: <4c4ba1530604231125p3ba303f4r62b744c3432c41c5@mail.gmail.com> Message-ID: <444BD6EB.6020902@mindspring.com> Tom London wrote: > Running latest rawhide, targeted/enforcing > (selinux-policy-targeted-2.2.34-3): > > After installing lastest rawhide packages today, on reboot, I noticed: > Apr 23 10:44:36 localhost kernel: SELinux: Disabled at runtime. > Apr 23 10:44:36 localhost kernel: SELinux: Unregistering netfilter hooks > > Checking /etc/selinux/config, SELINUX was set to disabled. > > I reset SELINUX to enforcing, rebooted in permissive to single, but > the reboot automagically detected a relabel was needed. It succeeded > and enforcing reboot works just fine. > > tom > -- > Tom London > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > yup, saw the same thing earlier this morning. The first time I rebooted to relabel I was in enforcing mode and the system would not come up to the point where it would do the relabel. Rebooting in permissive to single user (as above) allowed the relabel and subsequent reboot in enforcing. The question still remains, was setting SELINUX=disabled in the config file intentional? rh From rfoster at mountainvisions.com.au Sun Apr 23 23:16:32 2006 From: rfoster at mountainvisions.com.au (Robert Foster) Date: Mon, 24 Apr 2006 09:16:32 +1000 Subject: samba and apache shared directories on FC5 Message-ID: <001a01c6672b$f5f5a910$f5d94d8a@RoverXP> Hi, I have a directory structure that contains multiple web sites that I also want shared out using samba to restricted users. I've just upgraded to FC5 and worked most of the kinks out (including trying to get Samba's net getlocalsid to talk to ldap properly, but that's another story). current configuration: # ls -alZ /MV gives: drwsrws--- apache apache system_u:object_r:httpd_sys_content_t webs however the samba shared directory is readonly for users browsing. If I set the type to samba_share_t, apache can no longer read the directory. This also has other implications. I have a directory in another share (Archives/Repository) that is soft linked to a directory under a web site so that users can copy files into it from a windows client and have them available for download. I found a post by Stephen Smalley back in June last year that talks a little about this issue: http://www.redhat.com/archives/fedora-selinux-list/2005-June/msg00264.html that suggested a possible fix by defining a new type allowing both httpd and samba to access the files - with samba having permission to write. Any ideas on whether this is likely to be added to a policy for FC5 in the near future, and how can I fix this in the interim? I'd rather not disable selinux if I can avoid it :) Thanks in advance, Robert Foster General Manager Mountain Visions P/L http://mountainvisions.com.au Mobile: 0418 131 065 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Robert Foster.vcf Type: text/x-vcard Size: 518 bytes Desc: not available URL: From tonynelson at georgeanelson.com Mon Apr 24 02:18:32 2006 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Sun, 23 Apr 2006 22:18:32 -0400 Subject: Trouble with dump / restore In-Reply-To: Message-ID: At 8:32 PM -0400 4/20/06, Tony Nelson wrote: >This is probably only marginally related to SELinux. I'm trying to learn >how to use dump and restore (via DVD+/-R), and I've gotten it working to >the point where the files seem to be OK but the SELinux Extended Attributes >are not. I used the commands (as root, with / being LogVol02): > > # mount -r /dev/VolGroup00/LogVol00 /mnt/lv00 > # dump -0 -L xxx -B 4590208 -f /tmp/dumpdvd /dev/VolGroup00/LogVol00 > [cdrecord used once per tape, from another terminal] > # cdrecord -v -sao dev=dvd -data /tmp/dumpdvd > # restore -C -f /dev/dvd > >OK, some of that is superstition, but it works except for about one of >these messages for each file, and no other errors (according to grep -v): > > ./path/to/file: EA foo_x:object_r:bar_y value changed > >What am I doing wrong? What I'm doing wrong is dumping (on FC5) a volume made with FC3 and then running restore on FC5. FC5's SELinux activates the 4th component (MLS) of the Security Context. Getxattr() is returning the 4th component (probably inventing it), but dump didn't put one in the dump -- looking at the code, I think that the 4th component must not be on the source disk. I found this by groveling through the source for restore, looking at misleading ls -lZ output, and then calling getxattr() and seeing what it returned. This would have been easier if ls -lZ showed the same thing that getxattr() returned, but ls -lZ left off the new MLS stuff. Is there a way to set SELinux to allow restore -C to work? What would need to be done to restore to get it to cope with this change, for dumps that don't have MLS being restored on systems that do? ____________________________________________________________________ TonyN.:' ' From paul at city-fan.org Mon Apr 24 07:19:09 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 24 Apr 2006 08:19:09 +0100 Subject: samba and apache shared directories on FC5 In-Reply-To: <001a01c6672b$f5f5a910$f5d94d8a@RoverXP> References: <001a01c6672b$f5f5a910$f5d94d8a@RoverXP> Message-ID: <1145863149.20978.33.camel@laurel.intra.city-fan.org> On Mon, 2006-04-24 at 09:16 +1000, Robert Foster wrote: > Hi, > I have a directory structure that contains multiple web sites that I > also want shared out using samba to restricted users. I've just > upgraded to FC5 and worked most of the kinks out (including trying to > get Samba's net getlocalsid to talk to ldap properly, but that's > another story). > > current configuration: > > # ls -alZ /MV > gives: > drwsrws--- apache apache system_u:object_r:httpd_sys_content_t > webs > > however the samba shared directory is readonly for users browsing. > If I set the type to samba_share_t, apache can no longer read the > directory. > > This also has other implications. I have a directory in another share > (Archives/Repository) that is soft linked to a directory under a web > site so that users can copy files into it from a windows client and > have them available for download. > > I found a post by Stephen Smalley back in June last year that talks a > little about this issue: > http://www.redhat.com/archives/fedora-selinux-list/2005-June/msg00264.html > that suggested a possible fix by defining a new type allowing both > httpd and samba to access the files - with samba having permission to > write. > > Any ideas on whether this is likely to be added to a policy for FC5 in > the near future, and how can I fix this in the interim? I'd rather > not disable selinux if I can avoid it :) This was implemented quite a long time ago. Change the context type of the data to public_content_t (for read-only data) or public_content_rw_t for data that one of the daemons needs to be able to write. Then allow whichever daemons need write access to this data by setting the appropriate booleans: allow_ftpd_anon_write allow_httpd_anon_write allow_httpd_sys_script_anon_write allow_rsync_anon_write allow_smbd_anon_write So in your case you'd want: # setsebool -P allow_smbd_anon_write 1 Paul. From kayvan at sylvan.com Mon Apr 24 07:48:01 2006 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Mon, 24 Apr 2006 00:48:01 -0700 Subject: dump/restore and SElinux security context problem Message-ID: <20060424074801.GC14594@satyr.sylvan.com> [This was originally posted on fedora-list, and despite some helpful answers, the problem still remains. --Kayvan] Hi everyone. I was trying to upgrade from FC4 to FC5, but my root partition was too small to accomodate the DVD image. So, I had to resize some partitions. GNU parted was useless in that task (see Redhat Bugzilla Bug 90894). Finally, I used "dump" to create a snapshot of a filesystem, then, using the FC5 DVD to boot into rescue mode, used "restore" to recreate it. The problem: during the restore, for every file, I get messages like this: restore: lsetxattr ./System.map-2.6.15-1.1833_FC4 failed: Invalid argument This feels like it's related to SELinux. In fact, looking at the restored files with "ls -Z", I see that they are all unlabeled. If I don't use the rescue CD, and instead, on a running system where SELinux is enabled, do the following: 1) setenforce 0 2) restore from the dump. 3) setenforce 1 Then, the restored files are in their correct security context. How do I get this same result (files completely restored, along with their extended attributes) while using the rescue CD? My end goal is to be able to do a dump, boot into a rescue mode, resize partitions, format new filesystems and restore the dump, and have all files retain all their attributes (including their SELinux context information). Thanks for any answers. ---Kayvan -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) From kayvan at sylvan.com Mon Apr 24 21:47:52 2006 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Mon, 24 Apr 2006 14:47:52 -0700 Subject: [FW: Re: dump/restore and SElinux security context problem] Message-ID: <20060424214752.GA24634@satyr.sylvan.com> Anyone on the fedora-selinux-list have any clues for how to proceed with this problem? In a nutshell: I can not get dump to restore the xattr file attributes when booted into the FC5 rescue DVD. Thanks for any answers or ideas! ----- Forwarded message from "Kayvan A. Sylvan" ----- Date: Sun, 23 Apr 2006 18:44:37 -0700 From: "Kayvan A. Sylvan" To: For users of Fedora Core releases Subject: Re: dump/restore and SElinux security context problem On Sun, Apr 23, 2006 at 02:39:43PM -0400, Tony Nelson wrote: > At 8:06 PM -0700 4/22/06, Kayvan A. Sylvan wrote: > >I used "dump" to create a snapshot of a filesystem, then, using > >the FC5 DVD to boot into rescue mode, used "restore" to recreate it. > > > >The problem: during the restore, for every file, I get messages like this: > > > > restore: lsetxattr ./System.map-2.6.15-1.1833_FC4 failed: Invalid argument > > When booting the rescue CD, use the kernel command line: > > linux rescue enforcing=0 > > along with any other options you need (when I remember, I use "hda=noprobe > hdb=noprobe"). This seemed to produce no different effect. The portion of the dmesg output (when booting the rescue CD) follows: security: 3 users, 6 roles, 1161 types, 135 bools, 1 sens, 256 cats security: 55 classes, 38679 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev loop0, type squashfs), not configured for labeling SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev cpuset, type cpuset), not configured for labeling SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts audit(1145840702.919:2): avc: denied { transition } for pid=651 comm="loader" name="bash" dev=loop0 ino=1500 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:anaconda_t:s0 tclass=process [...] SELinux: initialized (dev sda1, type ext2), uses xattr kjournald starting. Commit interval 5 seconds EXT3 FS on sda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev sda1, type ext3), uses xattr After the restore, the "ls -lZ" output, while still booted in the rescue mode, shows this (it's identical for all files): -rw-r--r-- root root system_u:object_r:file_t:s0 vmlinuz-2.6.16-1.2069_FC4smp Once booted back up in the FC4 system, the same file shows up as: -rw-r--r-- root root system_u:object_r:unlabeled_t vmlinuz-2.6.16-1.2069_FC4smp I am wondering if I have to have the same SELinux policy loaded while in the rescue mode in order to avoid the "lsetxattr: invalid argument" error? How would I go about doing that? ---Kayvan ----- End forwarded message ----- -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) From jeff-list-fedora at taltos.com Mon Apr 24 21:56:16 2006 From: jeff-list-fedora at taltos.com (Jeff Coffler) Date: Mon, 24 Apr 2006 14:56:16 -0700 Subject: Problem with SELinux and Postfix (sending from Python scripts) Message-ID: <1145915781.30207.TMDA@kidsrock.taltos.com> Hi folks, I found this link that had a similar (but not identical) problem: http://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.html O/S: Fedora Core5 Mail server: Postfix SELinux: Enabled. Basically, the problem is this. When I try to send E-Mail from a Python script, Postfix fails. In the maillog file, I see: Apr 24 13:53:57 miffy postfix/pickup[29094]: warning: maildrop/2104D276B2A: Permission denied In messages, I see: Apr 24 13:57:58 miffy kernel: audit(1145912278.348:688): avc: denied { getattr } for pid=29094 comm="pickup" name="2104D276B2A" dev=sda3 ino=2583338 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:object_r:postfix_spool_t:s0 tclass=file If I set SELinux to permissive mode, it works fine. Is this an SELinux policy problem? How can I go about fixing this? I'd prefer to run with SELinux enabled ... Thanks! -- Jeff From tonynelson at georgeanelson.com Tue Apr 25 02:30:12 2006 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Mon, 24 Apr 2006 22:30:12 -0400 Subject: Trouble with dump / restore In-Reply-To: References: Message-ID: At 10:18 PM -0400 4/23/06, Tony Nelson wrote: >At 8:32 PM -0400 4/20/06, Tony Nelson wrote: >>This is probably only marginally related to SELinux. I'm trying to learn >>how to use dump and restore (via DVD+/-R), and I've gotten it working to >>the point where the files seem to be OK but the SELinux Extended Attributes >>are not. I used the commands (as root, with / being LogVol02): >> >> # mount -r /dev/VolGroup00/LogVol00 /mnt/lv00 >> # dump -0 -L xxx -B 4590208 -f /tmp/dumpdvd /dev/VolGroup00/LogVol00 >> [cdrecord used once per tape, from another terminal] >> # cdrecord -v -sao dev=dvd -data /tmp/dumpdvd >> # restore -C -f /dev/dvd >> >>OK, some of that is superstition, but it works except for about one of >>these messages for each file, and no other errors (according to grep -v): >> >> ./path/to/file: EA foo_x:object_r:bar_y value changed >> >>What am I doing wrong? > >What I'm doing wrong is dumping (on FC5) a volume made with FC3 and then >running restore on FC5. FC5's SELinux activates the 4th component (MLS) of >the Security Context. Getxattr() is returning the 4th component (probably >inventing it), but dump didn't put one in the dump -- looking at the code, >I think that the 4th component must not be on the source disk. > >I found this by groveling through the source for restore, looking at >misleading ls -lZ output, and then calling getxattr() and seeing what it >returned. This would have been easier if ls -lZ showed the same thing that >getxattr() returned, but ls -lZ left off the new MLS stuff. > >Is there a way to set SELinux to allow restore -C to work? > >What would need to be done to restore to get it to cope with this change, >for dumps that don't have MLS being restored on systems that do? Having received no response from this list, the problem is moved to bugzilla: [Bug 189845] New: FC5 SELinux causes miscompares for restore -C https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189845 [ dump-Bugs-1475895 ] FC5 SELinux causes miscompares for restore -C https://sourceforge.net/tracker/?func=detail&atid=101306&aid=1475895&group_id=1306 ____________________________________________________________________ TonyN.:' ' From paul at city-fan.org Tue Apr 25 11:18:31 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 25 Apr 2006 12:18:31 +0100 Subject: texrel_shlib_t Message-ID: <444E0587.7040100@city-fan.org> texrel_shlib_t is I believe an alias for textrel_shlib_t. Is it just there for historical reasons to support a typo someone made whilst developing policy? There are still some instances of texrel_shlib_t in the policy: # semanage fcontext -l | grep texrel /usr(/.*)?/intellinux/plug_ins/.*\.api regular file system_u:object_r:texrel_shlib_t:s0 /usr(/.*)?/intellinux/nppdf\.so regular file system_u:object_r:texrel_shlib_t:s0 /usr/lib(64)?/libsipphoneapi\.so.* regular file system_u:object_r:texrel_shlib_t:s0 /usr(/.*)?/intellinux/lib/\.so regular file system_u:object_r:texrel_shlib_t:s0 Should these really be textrel_shlib_t or am I missing something subtle? Paul. From cpebenito at tresys.com Tue Apr 25 13:42:30 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Tue, 25 Apr 2006 09:42:30 -0400 Subject: texrel_shlib_t In-Reply-To: <444E0587.7040100@city-fan.org> References: <444E0587.7040100@city-fan.org> Message-ID: <1145972551.15625.3.camel@sgc> On Tue, 2006-04-25 at 12:18 +0100, Paul Howarth wrote: > texrel_shlib_t is I believe an alias for textrel_shlib_t. Is it just > there for historical reasons to support a typo someone made whilst > developing policy? texrel_shlib_t was the original name of the type, and it was renamed to textrel_shlib_t. texrel_shlib_t is an alias of textrel_shlib_t for compatibility. > There are still some instances of texrel_shlib_t in the policy: [cut] > Should these really be textrel_shlib_t or am I missing something subtle? They should, but it doesn't hurt for them to be texrel_shlib_t since its an alias of textrel_shlib_t. I have fixed these in upstream refpolicy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From dragoran at feuerpokemon.de Tue Apr 25 14:35:47 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Tue, 25 Apr 2006 16:35:47 +0200 Subject: selinux breaks nfs In-Reply-To: <444B3F1C.2030608@feuerpokemon.de> References: <444B3F1C.2030608@feuerpokemon.de> Message-ID: <444E33C3.1000108@feuerpokemon.de> dragoran wrote: > hello > I tryed to share a partition using nfs (using system-config-nfs), but > selinux prevents it from beeing mounted: > audit(1145781795.498:64): avc: denied { dac_override } for > pid=26228 comm="rpc.mountd" capability=1 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > audit(1145781795.498:65): avc: denied { dac_read_search } for > pid=26228 comm="rpc.mountd" capability=2 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > audit(1145781795.498:66): avc: denied { dac_override } for > pid=26228 comm="rpc.mountd" capability=1 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > audit(1145781795.498:67): avc: denied { dac_read_search } for > pid=26228 comm="rpc.mountd" capability=2 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > audit(1145781817.496:68): avc: denied { dac_override } for > pid=26228 comm="rpc.mountd" capability=1 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > audit(1145781817.496:69): avc: denied { dac_read_search } for > pid=26228 comm="rpc.mountd" capability=2 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > audit(1145781817.496:70): avc: denied { dac_override } for > pid=26228 comm="rpc.mountd" capability=1 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > audit(1145781817.496:71): avc: denied { dac_read_search } for > pid=26228 comm="rpc.mountd" capability=2 > scontext=system_u:system_r:nfsd_t:s0 > tcontext=system_u:system_r:nfsd_t:s0 tclass=capability > All boleans for nfs are set to true, if I do setenforce 0 it works. > I am using selinux-policy-targeted-2.2.34-3.fc5 (from updates testing) > on FC x86_64. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > any ideas? or should I bugzilla this? From dwalsh at redhat.com Tue Apr 25 17:05:27 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 25 Apr 2006 13:05:27 -0400 Subject: Problem with SELinux and Postfix (sending from Python scripts) In-Reply-To: <1145915781.30207.TMDA@kidsrock.taltos.com> References: <1145915781.30207.TMDA@kidsrock.taltos.com> Message-ID: <444E56D7.5060304@redhat.com> Jeff Coffler wrote: > Hi folks, > > I found this link that had a similar (but not identical) problem: > > http://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.html > > > O/S: Fedora Core5 > Mail server: Postfix > SELinux: Enabled. > > Basically, the problem is this. When I try to send E-Mail from a > Python script, Postfix fails. In the maillog file, I see: > > Apr 24 13:53:57 miffy postfix/pickup[29094]: warning: > maildrop/2104D276B2A: Permission denied > > In messages, I see: > > Apr 24 13:57:58 miffy kernel: audit(1145912278.348:688): avc: denied { > getattr } for pid=29094 comm="pickup" name="2104D276B2A" dev=sda3 > ino=2583338 scontext=root:system_r:postfix_pickup_t:s0 > tcontext=root:object_r:postfix_spool_t:s0 tclass=file > > If I set SELinux to permissive mode, it works fine. > > Is this an SELinux policy problem? How can I go about fixing this? > I'd prefer to run with SELinux enabled ... > # grep postfix_spool /var/log/message | audit2allow -M postfixpickup # semodule -i postfixpickup.pp Will fix it for now. I will update policy to allow searching of this directory > Thanks! > > -- Jeff > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From jeff-list-fedora at taltos.com Tue Apr 25 17:56:31 2006 From: jeff-list-fedora at taltos.com (Jeff Coffler) Date: Tue, 25 Apr 2006 10:56:31 -0700 Subject: Problem with SELinux and Postfix (sending from Python scripts) References: <1145915781.30207.TMDA@kidsrock.taltos.com> <444E56D7.5060304@redhat.com> Message-ID: <1145987798.3453.TMDA@kidsrock.taltos.com> >> Is this an SELinux policy problem? How can I go about fixing this? I'd >> prefer to run with SELinux enabled ... >> > # grep postfix_spool /var/log/message | audit2allow -M postfixpickup > # semodule -i postfixpickup.pp > > Will fix it for now. > > I will update policy to allow searching of this directory Hmm, this didn't work ... [root jeff]# grep postfix_spool /var/log/messages | audit2allow -M postfixpickup Generating type enforcment file: postfixpickup.te Compiling policy checkmodule -M -m -o postfixpickup.mod postfixpickup.te semodule_package -o postfixpickup.pp -m postfixpickup.mod ******************** IMPORTANT *********************** In order to load this newly created policy package into the kernel, you are required to execute semodule -i postfixpickup.pp [root jeff]# semodule -i postfixpickup.pp slimserver homedir /usr/local/slimserver or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. [root jeff]# grep -i slim /etc/selinux/targeted/contexts/files/file_contexts [root jeff]# I'm not sure why it's complaining about slimserver since there's no "slim" in that file. I could deinstall that to do the semodule command, then reinstall. Or I could wait until you guys push out the next SELinux policy, then enable SELinux. Suggestions? Thanks! -- Jeff From strong.s at crwash.org Tue Apr 25 20:04:58 2006 From: strong.s at crwash.org (Steve Strong) Date: Tue, 25 Apr 2006 15:04:58 -0500 Subject: securing home directories and using public_html Message-ID: <444E80EA.4070608@crwash.org> Sorry if this has already been asked and answered, but I'm a newbie! Maybe there's an archive I can search... I run a lab of fedora 5 clients and a RHEL 4.0 server (that means that the version of SELinux running on the server is the same as the version running on fedora core 3, right?) in a high school CS department. I'm teaching a unit on web programming using php and mysql. I've given students a world-readable public_html directory and a database, user and password. All works well until I notice students copying code from each other's public_html directories. Is there a way to allow httpd to access these directories and not allow users to get to them from their console? thanks in advance! steve -- Steve Strong Math and Computer Science Washington High School 2205 Forest Dr. SE Cedar Rapids, IA 52403 http://crwash.org mailto:strong.s at crwash.org From paul at city-fan.org Wed Apr 26 07:11:53 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 26 Apr 2006 08:11:53 +0100 Subject: securing home directories and using public_html In-Reply-To: <444E80EA.4070608@crwash.org> References: <444E80EA.4070608@crwash.org> Message-ID: <1146035513.14151.7.camel@laurel.intra.city-fan.org> On Tue, 2006-04-25 at 15:04 -0500, Steve Strong wrote: > Sorry if this has already been asked and answered, but I'm a newbie! > Maybe there's an archive I can search... > > I run a lab of fedora 5 clients and a RHEL 4.0 server (that means that > the version of SELinux running on the server is the same as the version > running on fedora core 3, right?) in a high school CS department. I'm > teaching a unit on web programming using php and mysql. I've given > students a world-readable public_html directory and a database, user and > password. All works well until I notice students copying code from each > other's public_html directories. > > Is there a way to allow httpd to access these directories and not allow > users to get to them from their console? Can't you do this using regular Unix permissions? Have the public_html directory owned by the student, group apache, mode 750. So the student can read and write to it, the web server can read it and other students can't do either. Paul. From ce at ruault.com Wed Apr 26 10:14:57 2006 From: ce at ruault.com (Charles-Edouard Ruault) Date: Wed, 26 Apr 2006 12:14:57 +0200 Subject: bluetooth on FC5 Message-ID: <444F4821.8030101@ruault.com> Hi All, i've compiled and installed kdebluetooth on my Fedora ppc distro, i'm trying to get the stuff working and i'm getting the following problems related to SELinux: When i want to browse a device which is not yet paired with the laptop i'm getting errors, because hcid is denied a few filesystem operations: audit(1146044994.917:786): avc: denied { create } for pid=1836 comm="hcid" name="bluetooth" scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir I've then straced hcid and found out that it's trying to create a directory /var/lib/bluetooth and that this operation is being denied ( thus the above log ). I've manually created the directory: mkdir -p /var/lib/bluetooth/ and then chcon system_u:object_r:bluetooth_var_lib_t bluetooth and now everything's fine. So i guess two things could be done in order to fix this : 1) allow hcid to create a dir in /var/lib ( i.e add this to the policy : allow bluetooth_t var_lib_t:dir create; ) 2) during installation of the bluetooth packages, create the /var/lib/bluetooth directory and tag it properly. -- Charles-Edouard Ruault GPG key Id E4D2B80C From ce at ruault.com Wed Apr 26 10:27:29 2006 From: ce at ruault.com (Charles-Edouard Ruault) Date: Wed, 26 Apr 2006 12:27:29 +0200 Subject: bluetooth on FC5 In-Reply-To: <444F4821.8030101@ruault.com> References: <444F4821.8030101@ruault.com> Message-ID: <444F4B11.2000903@ruault.com> Charles-Edouard Ruault wrote: > Hi All, > > i've compiled and installed kdebluetooth on my Fedora ppc distro, i'm > trying to get the stuff working and i'm getting the following problems > related to SELinux: > > When i want to browse a device which is not yet paired with the laptop > i'm getting errors, because hcid is denied a few filesystem operations: > > audit(1146044994.917:786): avc: denied { create } for pid=1836 > comm="hcid" name="bluetooth" scontext=system_u:system_r:bluetooth_t:s0 > tcontext=system_u:object_r:var_lib_t:s0 tclass=dir > > I've then straced hcid and found out that it's trying to create a > directory /var/lib/bluetooth and that this operation is being denied ( > thus the above log ). > I've manually created the directory: > mkdir -p /var/lib/bluetooth/ > and then > chcon system_u:object_r:bluetooth_var_lib_t bluetooth > > and now everything's fine. > So i guess two things could be done in order to fix this : > > 1) allow hcid to create a dir in /var/lib ( i.e add this to the policy > : allow bluetooth_t var_lib_t:dir create; ) > 2) during installation of the bluetooth packages, create the > /var/lib/bluetooth directory and tag it properly. > Ok i spoke too quickly, after trying to pair with my phone i got the following avc message: audit(1146046683.267:792): avc: denied { execute_no_trans } for pid=3742 comm="sh" name="kbluepin" dev=hda10 ino=1740403 scontext=user_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file So we should also add the following to the policy: allow bluetooth_t lib_t:file execute_no_trans; -- Charles-Edouard Ruault GPG key Id E4D2B80C From ce at ruault.com Wed Apr 26 10:58:08 2006 From: ce at ruault.com (Charles-Edouard Ruault) Date: Wed, 26 Apr 2006 12:58:08 +0200 Subject: bluetooth on FC5 In-Reply-To: <444F4B11.2000903@ruault.com> References: <444F4821.8030101@ruault.com> <444F4B11.2000903@ruault.com> Message-ID: <444F5240.1010003@ruault.com> Charles-Edouard Ruault wrote: > Charles-Edouard Ruault wrote: >> Hi All, >> >> i've compiled and installed kdebluetooth on my Fedora ppc distro, i'm >> trying to get the stuff working and i'm getting the following >> problems related to SELinux: >> >> When i want to browse a device which is not yet paired with the >> laptop i'm getting errors, because hcid is denied a few filesystem >> operations: >> >> audit(1146044994.917:786): avc: denied { create } for pid=1836 >> comm="hcid" name="bluetooth" >> scontext=system_u:system_r:bluetooth_t:s0 >> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir >> >> I've then straced hcid and found out that it's trying to create a >> directory /var/lib/bluetooth and that this operation is being denied >> ( thus the above log ). >> I've manually created the directory: >> mkdir -p /var/lib/bluetooth/ >> and then >> chcon system_u:object_r:bluetooth_var_lib_t bluetooth >> >> and now everything's fine. >> So i guess two things could be done in order to fix this : >> >> 1) allow hcid to create a dir in /var/lib ( i.e add this to the >> policy : allow bluetooth_t var_lib_t:dir create; ) >> 2) during installation of the bluetooth packages, create the >> /var/lib/bluetooth directory and tag it properly. >> > Ok i spoke too quickly, after trying to pair with my phone i got the > following avc message: > audit(1146046683.267:792): avc: denied { execute_no_trans } for > pid=3742 comm="sh" name="kbluepin" dev=hda10 ino=1740403 > scontext=user_u:system_r:bluetooth_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > > So we should also add the following to the policy: > allow bluetooth_t lib_t:file execute_no_trans; > > Sorry for the noise, here's the follow up on my findings: I figured out that it was because i manually compiled & installed kbluepin. I simply relabeled the binary as follows and was able to move on ( just one step further unfortunately ): chcon system_u:object_r:bluetooth_helper_exec_t /usr/lib/kdebluetooth/kbluepin Then, trying to pair, i got the following: Apr 26 12:49:06 kaluha hcid[3727]: link_key_request (sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5) Apr 26 12:49:06 kaluha hcid[3727]: pin_code_request (sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5) Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:843): avc: denied { read } for pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:844): avc: denied { search } for pid=4261 comm="kbluepin" name="spool" dev=hda11 ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:845): avc: denied { read } for pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:846): avc: denied { read } for pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.279:847): avc: denied { read } for pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.279:848): avc: denied { search } for pid=4261 comm="kbluepin" name="spool" dev=hda11 ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.279:849): avc: denied { search } for pid=4261 comm="kbluepin" name="spool" dev=hda11 ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.283:850): avc: denied { read } for pid=4261 comm="kbluepin" name="ftp" dev=hda11 ino=131074 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.283:851): avc: denied { search } for pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.287:852): avc: denied { read } for pid=4261 comm="kbluepin" name="www" dev=hda11 ino=262145 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.291:853): avc: denied { search } for pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.295:854): avc: denied { read } for pid=4261 comm="kbluepin" name="named" dev=hda11 ino=98307 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.295:855): avc: denied { search } for pid=4261 comm="kbluepin" name="spool" dev=hda11 ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.295:856): avc: denied { search } for pid=4261 comm="kbluepin" name="spool" dev=hda11 ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:857): avc: denied { search } for pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:858): avc: denied { search } for pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:859): avc: denied { search } for pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:860): avc: denied { dac_override } for pid=4261 comm="kbluepin" capability=1 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:861): avc: denied { dac_read_search } for pid=4261 comm="kbluepin" capability=2 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:862): avc: denied { read } for pid=4261 comm="kbluepin" name="beagle" dev=hda11 ino=32835 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:863): avc: denied { read } for pid=4261 comm="kbluepin" name="gdm" dev=hda11 ino=425986 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:object_r:xserver_log_t:s0 tclass=dir Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:864): avc: denied { dac_override } for pid=4261 comm="kbluepin" capability=1 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:865): avc: denied { dac_read_search } for pid=4261 comm="kbluepin" capability=2 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability which should translate to the following rules ( why is bluezpin searching through that many directories .... ) allow bluetooth_helper_t self:capability { dac_override dac_read_search }; allow bluetooth_helper_t httpd_sys_content_t:dir read; allow bluetooth_helper_t named_zone_t:dir read; allow bluetooth_helper_t public_content_t:dir read; allow bluetooth_helper_t sbin_t:dir read; allow bluetooth_helper_t var_lib_t:dir search; allow bluetooth_helper_t var_spool_t:dir search; allow bluetooth_helper_t var_t:dir read; allow bluetooth_helper_t xserver_log_t:dir read; Then i reverted to bluez-pin ( default ) and then got the following : Apr 26 12:52:10 kaluha hcid[4351]: link_key_request (sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5) Apr 26 12:52:10 kaluha hcid[4351]: pin_code_request (sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5) Apr 26 12:52:10 kaluha kernel: audit(1146048730.536:889): avc: denied { search } for pid=4363 comm="sh" name="home" dev=hda9 ino=1048577 scontext=user_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Apr 26 12:52:10 kaluha kernel: audit(1146048730.580:890): avc: denied { dac_override } for pid=4363 comm="bluez-pin" capability=1 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability Apr 26 12:52:10 kaluha kernel: audit(1146048730.580:891): avc: denied { dac_read_search } for pid=4363 comm="bluez-pin" capability=2 scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability Apr 26 12:52:10 kaluha hcid[4362]: PIN helper exited abnormally with code 256 which transaltes to the following policy changes: allow bluetooth_helper_t self:capability { dac_override dac_read_search }; allow bluetooth_t home_root_t:dir search; -- Charles-Edouard Ruault GPG key Id E4D2B80C From paul at city-fan.org Wed Apr 26 14:25:28 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 26 Apr 2006 15:25:28 +0100 Subject: mock and SELinux Message-ID: <444F82D8.1040003@city-fan.org> I've written up my workaround for getting mock to work under SELinux at: http://fedoraproject.org/wiki/Extras/MockTricks (the bottom half of the page). It'd be nice if some people more knowledgeable than myself would give it a once-over to make sure I'm not talking complete nonsense... :-) Cheers, Paul. From ce at ruault.com Wed Apr 26 14:39:59 2006 From: ce at ruault.com (Charles-Edouard Ruault) Date: Wed, 26 Apr 2006 16:39:59 +0200 Subject: bluetooth on FC5: Working policies for bluez-pin & kbluepin In-Reply-To: <444F4821.8030101@ruault.com> References: <444F4821.8030101@ruault.com> Message-ID: <444F863F.8050605@ruault.com> Ok, after all the noise i made on the list, here's my contribution : i've made two policies to allow kdebluetooth to work with selinux One is when using the bluez-pin helper for pairing, the other one is when using kdebluepin pairing program. You still have to manually create and label the /var/lib/bluetooth directory in order for this to work mkdir -p /var/lib/bluetooth/ chcon system_u:object_r:bluetooth_var_lib_t /var/lib/bluetooth then select the policy you want and run: checkmodule -M -m -o policyname.mod policyname.te semodule_package -o policyname.pp -m policyname.mod semodule -i policyname.pp Hope this helps ! Charles-Edouard Ruault wrote: > Hi All, > > i've compiled and installed kdebluetooth on my Fedora ppc distro, i'm > trying to get the stuff working and i'm getting the following problems > related to SELinux: > > When i want to browse a device which is not yet paired with the laptop > i'm getting errors, because hcid is denied a few filesystem operations: > > audit(1146044994.917:786): avc: denied { create } for pid=1836 > comm="hcid" name="bluetooth" scontext=system_u:system_r:bluetooth_t:s0 > tcontext=system_u:object_r:var_lib_t:s0 tclass=dir > > I've then straced hcid and found out that it's trying to create a > directory /var/lib/bluetooth and that this operation is being denied ( > thus the above log ). > I've manually created the directory: > mkdir -p /var/lib/bluetooth/ > and then > chcon system_u:object_r:bluetooth_var_lib_t bluetooth > > and now everything's fine. > So i guess two things could be done in order to fix this : > > 1) allow hcid to create a dir in /var/lib ( i.e add this to the policy > : allow bluetooth_t var_lib_t:dir create; ) > 2) during installation of the bluetooth packages, create the > /var/lib/bluetooth directory and tag it properly. > -- Charles-Edouard Ruault GPG key Id E4D2B80C -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: kbluepin.te URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: bluezpin.te URL: From notting at redhat.com Wed Apr 26 15:19:26 2006 From: notting at redhat.com (Bill Nottingham) Date: Wed, 26 Apr 2006 11:19:26 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <1145621558.21749.21.camel@moss-spartans.epoch.ncsc.mil> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> <1145621558.21749.21.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060426151926.GE3807@devserv.devel.redhat.com> Stephen Smalley (sds at tycho.nsa.gov) said: > On Fri, 2006-04-21 at 07:51 -0400, Stephen Smalley wrote: > > On Thu, 2006-04-20 at 14:38 -0400, Bill Nottingham wrote: > > Possibly stupid question: Will files be created dynamically in these > > tmpfs mounts at runtime? Do you expect them to follow the traditional > > inherit-from-parent-directory behavior you get from ext3? > > Sorry, not enough caffeine here. They already do follow that behavior > (via inode_init_security hook call from tmpfs). Only problem here is > getting the right label on the root directory inode in the first place, > which likely just requires allowing restorecon to fix it up, as is done > for /dev as well. This does suggest however that a rootcontext= option > to mount would be helpful. Sorry to be dense, but if I were to be writing down what specifically needs done, that would be: - rootcontext= support in mount? - a way to get the root label inode right on tmpfs (is this a policy or kernel change?) Just trying to clearly articulate what I'm blocking on. Bill From sds at tycho.nsa.gov Wed Apr 26 15:41:01 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 26 Apr 2006 11:41:01 -0400 Subject: problems with tmpfs and relabeling In-Reply-To: <20060426151926.GE3807@devserv.devel.redhat.com> References: <20060418140812.GA29333@devserv.devel.redhat.com> <1145379820.16632.82.camel@moss-spartans.epoch.ncsc.mil> <20060418184134.GC8935@devserv.devel.redhat.com> <20060418204245.GB17013@devserv.devel.redhat.com> <1145447245.24289.3.camel@moss-spartans.epoch.ncsc.mil> <20060420183816.GA1196@nostromo.devel.redhat.com> <1145620304.21749.14.camel@moss-spartans.epoch.ncsc.mil> <1145621558.21749.21.camel@moss-spartans.epoch.ncsc.mil> <20060426151926.GE3807@devserv.devel.redhat.com> Message-ID: <1146066061.28745.132.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-26 at 11:19 -0400, Bill Nottingham wrote: > Stephen Smalley (sds at tycho.nsa.gov) said: > > On Fri, 2006-04-21 at 07:51 -0400, Stephen Smalley wrote: > > > On Thu, 2006-04-20 at 14:38 -0400, Bill Nottingham wrote: > > > Possibly stupid question: Will files be created dynamically in these > > > tmpfs mounts at runtime? Do you expect them to follow the traditional > > > inherit-from-parent-directory behavior you get from ext3? > > > > Sorry, not enough caffeine here. They already do follow that behavior > > (via inode_init_security hook call from tmpfs). Only problem here is > > getting the right label on the root directory inode in the first place, > > which likely just requires allowing restorecon to fix it up, as is done > > for /dev as well. This does suggest however that a rootcontext= option > > to mount would be helpful. > > Sorry to be dense, but if I were to be writing down what specifically needs > done, that would be: > > - rootcontext= support in mount? > - a way to get the root label inode right on tmpfs (is this a policy > or kernel change?) > > Just trying to clearly articulate what I'm blocking on. In the short term, I think you are just blocking on a policy change to allow you to fix the root inode label via restorecon after mounting the fs with the fscontext= option. In the long term, I think we want some changes/extensions to context mount options and their handling in the kernel to allow things like: - rootcontext= option for specifying root inode label separate from fscontext label for fs_use_trans filesystems (like tmpfs), and - combined use of context= and fscontext= options (requested separately by Russell Coker). And then separately there are issues like the devpts root and its MLS label, which requires range_transition support on objects. -- Stephen Smalley National Security Agency From mroselinux at eastgranby.k12.ct.us Wed Apr 26 17:34:01 2006 From: mroselinux at eastgranby.k12.ct.us (mroselinux at eastgranby.k12.ct.us) Date: Wed, 26 Apr 2006 13:34:01 -0400 (EDT) Subject: samba selinux adding new PC to domain In-Reply-To: <444F82D8.1040003@city-fan.org> References: <444F82D8.1040003@city-fan.org> Message-ID: <1365.24.2.210.202.1146072841.squirrel@mail.eastgranby.k12.ct.us> I've migrated our samba server to FC5 and have selinux enforcing. I have the smbd_disable_trans boolean on. I just went to add a new PC to our domain and was not able to until I changed selinux to permissive. Below are the log messages. Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.084:160): avc: denied { append } for pid=24952 comm="useradd" name="log.mslib2k10w" dev=dm-0 ino=8674237 scontext=root:system_r:useradd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:161): avc: denied { read } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Apr 25 12:53:25 hssrv01 kernel: audit(1145984005.088:162): avc: denied { read write } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Apr 25 12:53:25 hssrv01 smbd[24950]: [2006/04/25 12:53:25.092274, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2404) Apr 25 12:53:25 hssrv01 smbd[24950]: _samr_create_user: Running the command `/usr/sbin/useradd -d /dev/null -g mac6068346148hines -c 'Machine Account' -s /bin/false -M mslib2k10w$' gave 1 Note that smbd invokes the useradd command. How can I always leave enforcing on? Earlier, I sent an email indicating that the samba "net groupmap" command also is a problem with enforcing on. Mark Orenstein East Granby, CT School System From dwalsh at redhat.com Wed Apr 26 15:49:47 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 26 Apr 2006 11:49:47 -0400 Subject: Relabeling nfs_t files In-Reply-To: References: Message-ID: <444F969B.2030401@redhat.com> Orion Poplawski wrote: > I have a problem where occasionally files end up with the nfs_t > context on local filesystems, presumably due to folks moving them > there off of nfs mounts. However, these files cannot be backed up by > amanda. My thought was to run restorecon or fixfiles regularly on the > directory tree to reset the context, but I get: > > audit(1145565590.726:16283): avc: denied { getattr } for pid=22182 > comm="restorecon" name="TT_v2.mat" dev=sda1 ino=204482 > scontext=root:system_r:restorecon_t tcontext=system_u:object_r:nfs_t > tclass=file > I will fix this in policy. You should be able to execute chcon -t DOMAIN FILE > So, what to do? > > Thanks! > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From kayvan at sylvan.com Wed Apr 26 21:14:33 2006 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Wed, 26 Apr 2006 14:14:33 -0700 Subject: dump/restore (or "star") and SELinux problems Message-ID: <20060426211433.GH27244@satyr.sylvan.com> Hi folks, I am trying again. I haven't gotten an answer that works yet and hoping that people who know more about SELinux and Fedora can see this and suggest a solution (or at least a way to investigate). My goal: To be able to reszie a partition (or rearrange filesystems) without losing any data or meta-data. parted is useless, since it won't handle the xattr filesystem data. I used dump to create a filesystem backup, then used the FC5 Install DVD to go into rescue mode and restore the dump. That seem to work okay for the file data. However, for each and every file, I get the message: restore: lsetxattr ./filename_being_restored failed: Invalid argument Using "ls -Z", I see that all the files end up being unlabeled (or they are in the unlabeled_t context). These files were all set up in Fedora FC4, using the targeted policy. When I am booting up using the FC5 Install DVD ("linux rescue"), the SELinux startup shows: security: 3 users, 6 roles, 1161 types, 135 bools, 1 sens, 256 cats security: 55 classes, 38679 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev loop0, type squashfs), not configured for labeling SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev cpuset, type cpuset), not configured for labeling SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts I have also tried using "star" with the following args: star -v -c -xdev -sparse -acl -link-dirs level=0 -wtardumps \ f=root.star -C / . And then, when booted into the rescue mode, did the following to extract: star -xpU -restore f=root.star This produced the same result. The files end up being unlabeled. I am wondering if I have to have the same SELinux policy loaded while in the rescue mode in order to avoid the "lsetxattr: invalid argument" error? How would I go about doing that? Thanks for any help! ---Kayvan -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) From rhallyx at mindspring.com Thu Apr 27 01:14:57 2006 From: rhallyx at mindspring.com (Richard Hally) Date: Wed, 26 Apr 2006 21:14:57 -0400 Subject: enforcing reset to disabled on update Message-ID: <44501B11.50707@mindspring.com> When I updated to the latest targeted policy (see below), the configuration was changed to disabled! This is the second update that has made this change. The previous policy update was the first time that has happened and was reported by both myself and Tom London. Apparently the change listed in the 04/26 rawhide report (also below) needs further attention. installed on an updated rawhide system: selinux-policy-2.2.35-2 selinux-policy-targeted-2.2.35-2 libselinux-devel-1.30.3-1 libselinux-python-1.30.3-1 selinux-doc-1.25.2-1 selinux-policy-mls-2.2.35-2 libselinux-1.30.3-1 selinux-policy-strict-2.2.35-2 selinux-policy-2.2.35-2 ----------------------- * Tue Apr 25 2006 James Antill 2.2.35-2 - Add xm policy - Fix policygentool * Mon Apr 24 2006 Dan Walsh 2.2.35-1 - Update to upstream - Fix postun to only disable selinux on full removal of the packages <------- From rfoster at mountainvisions.com.au Thu Apr 27 02:41:09 2006 From: rfoster at mountainvisions.com.au (Robert Foster) Date: Thu, 27 Apr 2006 12:41:09 +1000 Subject: Error running ffmpeg due to permission denied on library Message-ID: <001401c669a4$0ae8a690$f5d94d8a@RoverXP> Hi, I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the following error (from the debug message via Gallery): Executing: ( "/usr/bin/ffmpeg" "-h" ) 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0) feof(Resource id #108) fgets(Resource id #108, 4096) feof(Resource id #108) fgets(Resource id #108, 4096) feof(Resource id #108) fclose(Resource id #108) unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) Regular Output: Error Output: /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51: cannot enable executable stack as shared object requires: Permission denied Status: 127 (expected 0) A quick look in /usr/lib reveals: -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/lib/libavcodec-CVS.so lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libavcodec.so -> libavcodec-CVS.so lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libavcodec.so.51 -> libavcodec-CVS.so /var/log/audit/audit.log shows: type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003 syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack } for pid=25007 comm="ffmpeg" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003 syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack } for pid=25009 comm="ffmpeg" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003 syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack } for pid=25011 comm="ffmpeg" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" when I run the page producing the error output. I tried to set the allow_execstack boolean but it didn't make any difference. I'm out of ideas on this one - any help appreciated :) Robert Foster General Manager Mountain Visions P/L http://mountainvisions.com.au Mobile: 0418 131 065 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Klaus.Steinberger at physik.uni-muenchen.de Thu Apr 27 05:39:27 2006 From: Klaus.Steinberger at physik.uni-muenchen.de (Klaus Steinberger) Date: Thu, 27 Apr 2006 07:39:27 +0200 Subject: FC5: Problem with acroread and CISCO VPN Message-ID: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> Hello, in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread: [klaus.steinberger at noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger at noname ~]$ type=AVC msg=audit(1146115808.601:23): avc: denied { execmod } for pid=3366 comm="acroread" name="libJP2K.so" dev=hda2 ino=2680495 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1146115808.601:23): arch=40000003 syscall=125 success=no exit=-13 a0=2d4000 a1=aa000 a2=5 a3=bfb2dfd0 items=0 pid=3366 auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 sgid=100 fsgid=100 comm="acroread" exe="/usr/lib/acroread/Reader/intellinux/bin/acroread" type=AVC_PATH msg=audit(1146115808.601:23): path="/usr/lib/acroread/Reader/intellinux/lib/libJP2K.so" [klaus.steinberger at noname ~]$ vpnclient connect lrz vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger at noname ~]$ type=AVC msg=audit(1146115819.449:24): avc: denied { execmod } for pid=3437 comm="vpnclient" name="libvpnapi.so" dev=hda2 ino=2676482 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1146115819.449:24): arch=40000003 syscall=125 success=no exit=-13 a0=5ce000 a1=43000 a2=5 a3=bfa87450 items=0 pid=3437 auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 sgid=100 fsgid=100 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient" type=AVC_PATH msg=audit(1146115819.449:24): path="/opt/cisco-vpnclient/lib/libvpnapi.so" My system is up2date: [klaus.steinberger at noname ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-2.2.34-3.fc5 [klaus.steinberger at noname ~]$ rpm -q acroread acroread-7.0.5-2.2 [klaus.steinberger at noname ~]$ I'm currently not to familiar with selinux, so the only workaround I know is to "setenforce 0". Sincerly, Klaus -- Klaus Steinberger Maier-Leibnitz Labor Phone: (+49 89)289 14287 Am Coulombwall 6, D-85748 Garching, Germany FAX: (+49 89)289 14280 EMail: Klaus.Steinberger at Physik.Uni-Muenchen.DE URL: http://www.physik.uni-muenchen.de/~k2/ In a world without Walls and Fences, who needs Windows and Gates From knute at frazmtn.com Thu Apr 27 05:56:46 2006 From: knute at frazmtn.com (Knute Johnson) Date: Wed, 26 Apr 2006 22:56:46 -0700 Subject: vsftpd problem Message-ID: <444FFAAE.29757.344E80@knute.frazmtn.com> I tried to ftp into my new FC5 box for the first time today and discovered that there was an selinux problem and the login was denied. I changed the ftp_home_dir boolean to on and now it works. Is that the right thing to do? Thanks, -- Knute Johnson Molon Labe... From st.gross at gmx.de Thu Apr 27 06:58:28 2006 From: st.gross at gmx.de (Stephan =?iso-8859-1?q?Gro=DF?=) Date: Thu, 27 Apr 2006 08:58:28 +0200 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> Message-ID: <200604270858.31824.st.gross@gmx.de> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: Hi, > in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well > as acroread: > > [klaus.steinberger at noname ~]$ acroread > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > cannot restore segment prot after reloc: Permission denied > [klaus.steinberger at noname ~]$ after some googling I found following advice that worked for me to enable acroread again: 1. Start "System" > "Administration" > "Security Level and Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" 3. Tick the check box next to "Allow the use of shared libraries with Text Relocation". Regards, Stephan. From Klaus.Steinberger at physik.uni-muenchen.de Thu Apr 27 07:16:47 2006 From: Klaus.Steinberger at physik.uni-muenchen.de (Klaus Steinberger) Date: Thu, 27 Apr 2006 09:16:47 +0200 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <200604270858.31824.st.gross@gmx.de> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604270858.31824.st.gross@gmx.de> Message-ID: <200604270916.47726.Klaus.Steinberger@physik.uni-muenchen.de> Hi, > after some googling I found following advice that worked for me to enable > acroread again: > > 1. Start "System" > "Administration" > "Security Level and Firewall" > 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" > 3. Tick the check box next to "Allow the use of shared libraries with Text > Relocation". Yep, that fixed it. Also the CISCO Client runs with this setting. Sincerly, Klaus Steinberger -- Klaus Steinberger Maier-Leibnitz Labor Phone: (+49 89)289 14287 Am Coulombwall 6, D-85748 Garching, Germany FAX: (+49 89)289 14280 EMail: Klaus.Steinberger at Physik.Uni-Muenchen.DE URL: http://www.physik.uni-muenchen.de/~k2/ In a world without Walls and Fences, who needs Windows and Gates From paul at city-fan.org Thu Apr 27 07:34:39 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 27 Apr 2006 08:34:39 +0100 Subject: Error running ffmpeg due to permission denied on library In-Reply-To: <001401c669a4$0ae8a690$f5d94d8a@RoverXP> References: <001401c669a4$0ae8a690$f5d94d8a@RoverXP> Message-ID: <1146123280.18816.5.camel@laurel.intra.city-fan.org> On Thu, 2006-04-27 at 12:41 +1000, Robert Foster wrote: > Hi, > I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the > following error (from the debug message via Gallery): > > Executing: ( "/usr/bin/ffmpeg" "-h" ) > 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC > file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0) > feof(Resource id #108) > fgets(Resource id #108, 4096) > feof(Resource id #108) > fgets(Resource id #108, 4096) > feof(Resource id #108) > fclose(Resource id #108) > unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > Regular Output: > Error Output: > /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51: > cannot enable executable stack as shared object requires: Permission > denied > Status: 127 (expected 0) > A quick look in /usr/lib reveals: > > -rwxr-xr-x root root > system_u:object_r:textrel_shlib_t /usr/lib/libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so -> > libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so.51 -> > libavcodec-CVS.so > > > /var/log/audit/audit.log shows: > > type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003 > syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack } > for pid=25007 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003 > syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack } > for pid=25009 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003 > syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack } > for pid=25011 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003 > syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > > when I run the page producing the error output. > > I tried to set the allow_execstack boolean but it didn't make any > difference. Are you sure you've set the boolean? # getsebool allow_execstack ffmpeg is probably using a library that was not built for FC5. You should be able to find which one it is as follows: * List all libraries loaded. Assuming ffmpeg doesn't load any itself, the following should work: $ ldd /usr/bin/ffmpeg | sed -e 's,[^/]*\(/[^ ]*\).*,\1,' For each of the listed libraries, do: $ eu-readelf -l /path/to/library There must be a GNU_STACK line. If this is missing or the permissions (second to last field) is RWX instead of RW you found the culprit. Paul. From paul at city-fan.org Thu Apr 27 07:50:21 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 27 Apr 2006 08:50:21 +0100 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <200604270858.31824.st.gross@gmx.de> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604270858.31824.st.gross@gmx.de> Message-ID: <1146124222.18816.12.camel@laurel.intra.city-fan.org> On Thu, 2006-04-27 at 08:58 +0200, Stephan Gro? wrote: > On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > > Hi, > > > in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well > > as acroread: > > > > [klaus.steinberger at noname ~]$ acroread > > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > > shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > > cannot restore segment prot after reloc: Permission denied > > [klaus.steinberger at noname ~]$ > > after some googling I found following advice that worked for me to enable > acroread again: > > 1. Start "System" > "Administration" > "Security Level and Firewall" > 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" > 3. Tick the check box next to "Allow the use of shared libraries with Text > Relocation". A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system: I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api Paul. From paul at city-fan.org Thu Apr 27 07:52:35 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 27 Apr 2006 08:52:35 +0100 Subject: vsftpd problem In-Reply-To: <444FFAAE.29757.344E80@knute.frazmtn.com> References: <444FFAAE.29757.344E80@knute.frazmtn.com> Message-ID: <1146124355.18816.16.camel@laurel.intra.city-fan.org> On Wed, 2006-04-26 at 22:56 -0700, Knute Johnson wrote: > I tried to ftp into my new FC5 box for the first time today and > discovered that there was an selinux problem and the login was > denied. I changed the ftp_home_dir boolean to on and now it works. > Is that the right thing to do? Yes. The default policy doesn't allow home directory access to ftp daemons because it's not always needed (and of course the password is sent in plain text over the network in ftp so many people don't allow non-anonymous ftp logins). Paul. From rfoster at mountainvisions.com.au Thu Apr 27 09:58:03 2006 From: rfoster at mountainvisions.com.au (Robert Foster) Date: Thu, 27 Apr 2006 19:58:03 +1000 Subject: Error running ffmpeg due to permission denied on library In-Reply-To: <1146123280.18816.5.camel@laurel.intra.city-fan.org> Message-ID: <004501c669e1$136ff420$f5d94d8a@RoverXP> Hi Paul, Thanks for your help, but no luck so far :( # getsebool allow_execstack allow_execstack --> on - As expected. # eu-readelf -l /usr/lib/libavcodec.so.51 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00000000 0x00000000 0x32dabc 0x32dabc R E 0x1000 LOAD 0x32e000 0x0032e000 0x0032e000 0x00a390 0x0e0a90 RW 0x1000 DYNAMIC 0x32e098 0x0032e098 0x0032e098 0x000138 0x000138 RW 0x4 GNU_EH_FRAME 0x312588 0x00312588 0x00312588 0x00511c 0x00511c R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RWE 0x4 <------ Bummer :( Section to Segment mapping: Segment Sections... 00 [RO: .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame] 01 .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss 02 .dynamic 03 [RO: .eh_frame_hdr] 04 Bummer. I guess I'll have to contact the livna repository maintainer and see what can be done about this. Thanks again for your help. Robert Foster -----Original Message----- From: Paul Howarth [mailto:paul at city-fan.org] Sent: Thursday, 27 April 2006 5:35 PM To: Robert Foster Cc: fedora-selinux-list at redhat.com Subject: Re: Error running ffmpeg due to permission denied on library On Thu, 2006-04-27 at 12:41 +1000, Robert Foster wrote: > Hi, > I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the > following error (from the debug message via Gallery): > > Executing: ( "/usr/bin/ffmpeg" "-h" ) > 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC > file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0) feof(Resource > id #108) fgets(Resource id #108, 4096) feof(Resource id #108) > fgets(Resource id #108, 4096) feof(Resource id #108) fclose(Resource > id #108) > unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > Regular Output: > Error Output: > /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51: > cannot enable executable stack as shared object requires: Permission > denied > Status: 127 (expected 0) > A quick look in /usr/lib reveals: > > -rwxr-xr-x root root > system_u:object_r:textrel_shlib_t /usr/lib/libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so -> > libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so.51 -> > libavcodec-CVS.so > > > /var/log/audit/audit.log shows: > > type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003 > syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack } > for pid=25007 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003 > syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack } > for pid=25009 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003 > syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack } > for pid=25011 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003 > syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > > when I run the page producing the error output. > > I tried to set the allow_execstack boolean but it didn't make any > difference. Are you sure you've set the boolean? # getsebool allow_execstack ffmpeg is probably using a library that was not built for FC5. You should be able to find which one it is as follows: * List all libraries loaded. Assuming ffmpeg doesn't load any itself, the following should work: $ ldd /usr/bin/ffmpeg | sed -e 's,[^/]*\(/[^ ]*\).*,\1,' For each of the listed libraries, do: $ eu-readelf -l /path/to/library There must be a GNU_STACK line. If this is missing or the permissions (second to last field) is RWX instead of RW you found the culprit. Paul. From st.gross at gmx.de Thu Apr 27 10:00:56 2006 From: st.gross at gmx.de (Stephan =?iso-8859-15?q?Gro=DF?=) Date: Thu, 27 Apr 2006 12:00:56 +0200 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <1146124222.18816.12.camel@laurel.intra.city-fan.org> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604270858.31824.st.gross@gmx.de> <1146124222.18816.12.camel@laurel.intra.city-fan.org> Message-ID: <200604271201.00054.st.gross@gmx.de> On Thursday 27 April 2006 09:50, Paul Howarth wrote: > > > in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as > > > well as acroread: > > > > > > [klaus.steinberger at noname ~]$ acroread > > > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > > > shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > > > cannot restore segment prot after reloc: Permission denied > > > [klaus.steinberger at noname ~]$ > > > > after some googling I found following advice that worked for me to enable > > acroread again: > > > > 1. Start "System" > "Administration" > "Security Level and Firewall" > > 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" > > 3. Tick the check box next to "Allow the use of shared libraries with > > Text Relocation". > > A better fix is to label the acroread files correctly, which only > "opens" the protection for acroread and not every process on the system: > > I believe you need: > # chcon -t textrel_shlib_t \ > /usr/lib/acroread/Reader/intellinux/lib/*.so \ > /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > /usr/lib/acroread/Reader/intellinux/plug_ins/*.api I have checked that. As I am using the original RPM packets provided by Adobe the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a chcon -t textrel_shlib_t \ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so seems to be sufficient to run acroread and also use the plugin in Firefox. BTW, what are SPPlugins and plug_ins for? However, thank you Paul for providing this more customized solution. I assume, that I only have to change the type context of the libraries distributed with the Cisco VPN client accordingly to run it with a "fully" enabled selinux. From tdiehl at rogueind.com Thu Apr 27 12:13:03 2006 From: tdiehl at rogueind.com (Tom Diehl) Date: Thu, 27 Apr 2006 08:13:03 -0400 (EDT) Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <1146124222.18816.12.camel@laurel.intra.city-fan.org> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604270858.31824.st.gross@gmx.de> <1146124222.18816.12.camel@laurel.intra.city-fan.org> Message-ID: On Thu, 27 Apr 2006, Paul Howarth wrote: > On Thu, 2006-04-27 at 08:58 +0200, Stephan Gro? wrote: > > On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > > > > Hi, > > > > > in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well > > > as acroread: > > > > > > [klaus.steinberger at noname ~]$ acroread > > > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > > > shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > > > cannot restore segment prot after reloc: Permission denied > > > [klaus.steinberger at noname ~]$ > > > > after some googling I found following advice that worked for me to enable > > acroread again: > > > > 1. Start "System" > "Administration" > "Security Level and Firewall" > > 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" > > 3. Tick the check box next to "Allow the use of shared libraries with Text > > Relocation". > > A better fix is to label the acroread files correctly, which only > "opens" the protection for acroread and not every process on the system: > > I believe you need: > # chcon -t textrel_shlib_t \ > /usr/lib/acroread/Reader/intellinux/lib/*.so \ > /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > /usr/lib/acroread/Reader/intellinux/plug_ins/*.api If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent? Regards, Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From selinux at gmail.com Thu Apr 27 13:44:54 2006 From: selinux at gmail.com (Tom London) Date: Thu, 27 Apr 2006 06:44:54 -0700 Subject: enforcing reset to disabled on update In-Reply-To: <44501B11.50707@mindspring.com> References: <44501B11.50707@mindspring.com> Message-ID: <4c4ba1530604270644s6f7f2f72s2abc94c282cc63b9@mail.gmail.com> On 4/26/06, Richard Hally wrote: > When I updated to the latest targeted policy (see below), the > configuration was changed to disabled! This is the second update that > has made this change. The previous policy update was the first time that > has happened and was reported by both myself and Tom London. > > Apparently the change listed in the 04/26 rawhide report (also below) > needs further attention. > > installed on an updated rawhide system: > selinux-policy-2.2.35-2 > selinux-policy-targeted-2.2.35-2 > libselinux-devel-1.30.3-1 > libselinux-python-1.30.3-1 > selinux-doc-1.25.2-1 > selinux-policy-mls-2.2.35-2 > libselinux-1.30.3-1 > selinux-policy-strict-2.2.35-2 > > selinux-policy-2.2.35-2 > ----------------------- > * Tue Apr 25 2006 James Antill 2.2.35-2 > - Add xm policy > - Fix policygentool > > * Mon Apr 24 2006 Dan Walsh 2.2.35-1 > - Update to upstream > - Fix postun to only disable selinux on full removal of the packages <------- > I can verify this. I separately updated to today's 'selinux-policy*' packages, and check /etc/selinux/config before and afterwards. Before: SELINUX=enforcing Afterwards SELINUX=disabled tom -- Tom London From selinux at gmail.com Thu Apr 27 13:57:14 2006 From: selinux at gmail.com (Tom London) Date: Thu, 27 Apr 2006 06:57:14 -0700 Subject: enforcing reset to disabled on update In-Reply-To: <4c4ba1530604270644s6f7f2f72s2abc94c282cc63b9@mail.gmail.com> References: <44501B11.50707@mindspring.com> <4c4ba1530604270644s6f7f2f72s2abc94c282cc63b9@mail.gmail.com> Message-ID: <4c4ba1530604270657h46ebfeb3pe984586ea0878708@mail.gmail.com> On 4/27/06, Tom London wrote: > I can verify this. I separately updated to today's 'selinux-policy*' > packages, and check /etc/selinux/config before and afterwards. > Before: > SELINUX=enforcing > Afterwards > SELINUX=disabled > > tom Could the offending script be the postuninstall script of selinux-policy: postuninstall scriptlet (using /bin/sh): if [ $1 = 0 ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi I also noticed that after the 'yum update', my system was in permissive mode.... tom -- Tom London From paul at city-fan.org Thu Apr 27 14:43:15 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 27 Apr 2006 15:43:15 +0100 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604270858.31824.st.gross@gmx.de> <1146124222.18816.12.camel@laurel.intra.city-fan.org> Message-ID: <4450D883.3080507@city-fan.org> Tom Diehl wrote: > On Thu, 27 Apr 2006, Paul Howarth wrote: > >> On Thu, 2006-04-27 at 08:58 +0200, Stephan Gro? wrote: >>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: >>> >>> Hi, >>> >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well >>>> as acroread: >>>> >>>> [klaus.steinberger at noname ~]$ acroread >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading >>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: >>>> cannot restore segment prot after reloc: Permission denied >>>> [klaus.steinberger at noname ~]$ >>> after some googling I found following advice that worked for me to enable >>> acroread again: >>> >>> 1. Start "System" > "Administration" > "Security Level and Firewall" >>> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" >>> 3. Tick the check box next to "Allow the use of shared libraries with Text >>> Relocation". >> A better fix is to label the acroread files correctly, which only >> "opens" the protection for acroread and not every process on the system: >> >> I believe you need: >> # chcon -t textrel_shlib_t \ >> /usr/lib/acroread/Reader/intellinux/lib/*.so \ >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api > > If I relabel as suggested above, what happens the next time the filesystem > is relabeled. If as I suspect they get relabeled back to the previous settings, > what is the correct way to make the changes permanent? It can be done using semanage to add new file context objects. However, I believe the required entries are *supposed* to be in the main policy package: # semanage fcontext -l | grep -Ei 'adobe|intellinux' /usr/(local/)?Adobe/.*\.api regular file system_u:object_r:texrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file system_u:object_r:texrel_shlib_t:s0 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file system_u:object_r:textrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file system_u:object_r:texrel_shlib_t:s0 # rpm -q selinux-policy selinux-policy-2.2.34-3.fc5 If you have the latest policy and "restorecon -vR /path/to/acroread" doesn't set the right context, raise it here and mention which files aren't getting set to textrel_shlib_t. Hopefully it will get fixed so that this issue stops cropping up on fedora-list every day like it seems to at the moment. Paul. From paul at city-fan.org Thu Apr 27 14:54:46 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 27 Apr 2006 15:54:46 +0100 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <200604271201.00054.st.gross@gmx.de> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604270858.31824.st.gross@gmx.de> <1146124222.18816.12.camel@laurel.intra.city-fan.org> <200604271201.00054.st.gross@gmx.de> Message-ID: <4450DB36.6080103@city-fan.org> Stephan Gro? wrote: > On Thursday 27 April 2006 09:50, Paul Howarth wrote: > >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as >>>> well as acroread: >>>> >>>> [klaus.steinberger at noname ~]$ acroread >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading >>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: >>>> cannot restore segment prot after reloc: Permission denied >>>> [klaus.steinberger at noname ~]$ >>> after some googling I found following advice that worked for me to enable >>> acroread again: >>> >>> 1. Start "System" > "Administration" > "Security Level and Firewall" >>> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" >>> 3. Tick the check box next to "Allow the use of shared libraries with >>> Text Relocation". >> A better fix is to label the acroread files correctly, which only >> "opens" the protection for acroread and not every process on the system: >> >> I believe you need: >> # chcon -t textrel_shlib_t \ >> /usr/lib/acroread/Reader/intellinux/lib/*.so \ >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api > > I have checked that. As I am using the original RPM packets provided by Adobe > the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a > > chcon -t textrel_shlib_t \ > /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so > > seems to be sufficient to run acroread and also use the plugin in Firefox. > BTW, what are SPPlugins and plug_ins for? Dunno; I don't use it myself (evince is fine for my needs) and I picked up the need to fix the two sets of plugins from various posts on fedora-list. > However, thank you Paul for providing this more customized solution. I assume, > that I only have to change the type context of the libraries distributed with > the Cisco VPN client accordingly to run it with a "fully" enabled selinux. Probably, yes. If that works, please provide details of what needed to be changed so that it can make it into the Core policy. Paul. From fedora at grifent.com Thu Apr 27 16:47:04 2006 From: fedora at grifent.com (John Griffiths) Date: Thu, 27 Apr 2006 12:47:04 -0400 Subject: fedora-selinux-list Digest, Vol 26, Issue 32 In-Reply-To: <20060427095825.413A07309E@hormel.redhat.com> References: <20060427095825.413A07309E@hormel.redhat.com> Message-ID: <4450F588.4070701@grifent.com> fedora-selinux-list-request at redhat.com wrote: > > Subject: > Error running ffmpeg due to permission denied on library > From: > "Robert Foster" > Date: > Thu, 27 Apr 2006 12:41:09 +1000 > To: > > > To: > > > > Hi, > I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the > following error (from the debug message via Gallery): > > Executing: ( "/usr/bin/ffmpeg" "-h" ) > 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC > file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0) > feof(Resource id #108) > fgets(Resource id #108, 4096) > feof(Resource id #108) > fgets(Resource id #108, 4096) > feof(Resource id #108) > fclose(Resource id #108) > unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > Regular Output: > Error Output: > /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51: > cannot enable executable stack as shared object requires: Permission > denied > Status: 127 (expected 0) > A quick look in /usr/lib reveals: > > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t > /usr/lib/libavcodec-CVS.so > lrwxrwxrwx root root system_u:object_r:lib_t > /usr/lib/libavcodec.so -> libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so.51 -> > libavcodec-CVS.so > > > /var/log/audit/audit.log shows: > > type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003 > syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack } > for pid=25007 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003 > syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack } > for pid=25009 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003 > syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack } > for pid=25011 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003 > syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > when I run the page producing the error output. > > I tried to set the allow_execstack boolean but it didn't make any > difference. > > I'm out of ideas on this one - any help appreciated :) > > Robert Foster > General Manager > Mountain Visions P/L http://mountainvisions.com.au > > Mobile: 0418 131 065 > I had the same problem when using Kino which also uses ffmpeg. Here is what I did and it works. execstack -c /usr/lib/libmp3lame.so.0 execstack -c /usr/lib/libxvidcore.so.4 chcon -t textrel_shlib_t /usr/lib/libavformat.so.50 chcon -t textrel_shlib_t /usr/lib/libavutil.so.49 chcon -t textrel_shlib_t /usr/lib/libavcodec.so.51 This also takes care of the problem with lame-3.96.1-10.rhfc5.at, libxvidcore4-1.1.0-8.rhfc5.at, libavformat50-0.4.9-14_cvs20060301.rhfc5.at, libavutil49-0.4.9-14_cvs20060301.rhfc5.at, and libavcodec51-0.4.9-14_cvs20060301.rhfc5.at. Regards, John From sds at tycho.nsa.gov Thu Apr 27 16:54:57 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 27 Apr 2006 12:54:57 -0400 Subject: dump/restore (or "star") and SELinux problems In-Reply-To: <20060426211433.GH27244@satyr.sylvan.com> References: <20060426211433.GH27244@satyr.sylvan.com> Message-ID: <1146156897.5238.64.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-04-26 at 14:14 -0700, Kayvan A. Sylvan wrote: > Hi folks, > > I am trying again. I haven't gotten an answer that works yet and hoping that > people who know more about SELinux and Fedora can see this and suggest > a solution (or at least a way to investigate). > > My goal: To be able to reszie a partition (or rearrange filesystems) without > losing any data or meta-data. > > parted is useless, since it won't handle the xattr filesystem data. > > I used dump to create a filesystem backup, then used the FC5 Install DVD > to go into rescue mode and restore the dump. That seem to work okay for > the file data. However, for each and every file, I get the message: > > restore: lsetxattr ./filename_being_restored failed: Invalid argument > > Using "ls -Z", I see that all the files end up being unlabeled (or they > are in the unlabeled_t context). > > These files were all set up in Fedora FC4, using the targeted policy. Ok, so the problem here is that dump is saving the raw attribute values (which lack the MLS field since they came from FC4) and then calling lsetxattr() with those raw attribute values, and the FC5 kernel is then rejecting them since they lack the field. Related to: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189845 If restore instead used lsetfilecon(3), the attribute would be extended appropriately. Short term workaround for you would be to run restorecon on the filesystem after restoring it to fix up the labels. > I have also tried using "star" with the following args: > > star -v -c -xdev -sparse -acl -link-dirs level=0 -wtardumps \ > f=root.star -C / . > > And then, when booted into the rescue mode, did the following to extract: > > star -xpU -restore f=root.star Did you try following the instructions in the SELinux FAQ: http://fedora.redhat.com/docs/selinux-faq-fc5/#id2978236 In particular, using -xattr and -H=exustar options. -acl is specific to POSIX ACLs I believe. > This produced the same result. The files end up being unlabeled. > > I am wondering if I have to have the same SELinux policy loaded while > in the rescue mode in order to avoid the "lsetxattr: invalid argument" > error? How would I go about doing that? -- Stephen Smalley National Security Agency From kayvan at sylvan.com Thu Apr 27 18:16:11 2006 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Thu, 27 Apr 2006 11:16:11 -0700 Subject: dump/restore (or "star") and SELinux problems In-Reply-To: <1146156897.5238.64.camel@moss-spartans.epoch.ncsc.mil> References: <20060426211433.GH27244@satyr.sylvan.com> <1146156897.5238.64.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060427181611.GA27193@satyr.sylvan.com> Thank you, Stephen, for your helpful answers. I will try using "star" with -xattr and -Hexustar and report back later tonight. On Thu, Apr 27, 2006 at 12:54:57PM -0400, Stephen Smalley wrote: > > Did you try following the instructions in the SELinux FAQ: > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2978236 > > In particular, using -xattr and -H=exustar options. -acl is specific to > POSIX ACLs I believe. -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) From st.gross at gmx.de Thu Apr 27 18:43:43 2006 From: st.gross at gmx.de (Stephan =?iso-8859-1?q?Gro=DF?=) Date: Thu, 27 Apr 2006 20:43:43 +0200 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <4450D883.3080507@city-fan.org> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <4450D883.3080507@city-fan.org> Message-ID: <200604272043.47835.st.gross@gmx.de> On Thursday 27 April 2006 16:43, Paul Howarth wrote: > Tom Diehl wrote: > > On Thu, 27 Apr 2006, Paul Howarth wrote: > >> On Thu, 2006-04-27 at 08:58 +0200, Stephan Gro? wrote: > >>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > >>> > >>> Hi, > >>> > >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as > >>>> well as acroread: > >>>> > >>>> [klaus.steinberger at noname ~]$ acroread > >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > >>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > >>>> cannot restore segment prot after reloc: Permission denied > >>>> [klaus.steinberger at noname ~]$ > >>> > >>> after some googling I found following advice that worked for me to > >>> enable acroread again: > >>> > >>> 1. Start "System" > "Administration" > "Security Level and Firewall" > >>> 2. On the "SELinux" tab click on "Modify SELinux Policy > > >>> Compatibility" 3. Tick the check box next to "Allow the use of shared > >>> libraries with Text Relocation". > >> > >> A better fix is to label the acroread files correctly, which only > >> "opens" the protection for acroread and not every process on the system: > >> > >> I believe you need: > >> # chcon -t textrel_shlib_t \ > >> /usr/lib/acroread/Reader/intellinux/lib/*.so \ > >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api > > > > If I relabel as suggested above, what happens the next time the > > filesystem is relabeled. If as I suspect they get relabeled back to the > > previous settings, what is the correct way to make the changes permanent? > > It can be done using semanage to add new file context objects. However, > I believe the required entries are *supposed* to be in the main policy > package: > > # semanage fcontext -l | grep -Ei 'adobe|intellinux' > /usr/(local/)?Adobe/.*\.api regular file > system_u:object_r:texrel_shlib_t:s0 > /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file > system_u:object_r:texrel_shlib_t:s0 > /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file > system_u:object_r:textrel_shlib_t:s0 > /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file > system_u:object_r:texrel_shlib_t:s0 > # rpm -q selinux-policy > selinux-policy-2.2.34-3.fc5 > > If you have the latest policy and "restorecon -vR /path/to/acroread" > doesn't set the right context, raise it here and mention which files > aren't getting set to textrel_shlib_t. Hopefully it will get fixed so > that this issue stops cropping up on fedora-list every day like it seems > to at the moment. I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a "restorecon -vR /usr/local/Adobe" results in "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t)." and no file contexts changed. I am clueless about the details of selinux. Is this a bug in the policy script or might this be a failure in my installation. Don't know if it matters but I upgraded from FC4. Regards, Stephan. From rfoster at mountainvisions.com.au Thu Apr 27 23:20:41 2006 From: rfoster at mountainvisions.com.au (Robert Foster) Date: Fri, 28 Apr 2006 09:20:41 +1000 Subject: fedora-selinux-list Digest, Vol 26, Issue 32 In-Reply-To: <4450F588.4070701@grifent.com> Message-ID: <001401c66a51$338383b0$5e00a8c0@RoverXP> Hi John, Thanks for that, executing #execstack -c /usr/lib/libavcodec.so.51.8.0 Did the trick. Robert Foster -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of John Griffiths Sent: Friday, 28 April 2006 2:47 AM To: fedora-selinux-list at redhat.com Subject: Re: fedora-selinux-list Digest, Vol 26, Issue 32 I had the same problem when using Kino which also uses ffmpeg. Here is what I did and it works. execstack -c /usr/lib/libmp3lame.so.0 execstack -c /usr/lib/libxvidcore.so.4 chcon -t textrel_shlib_t /usr/lib/libavformat.so.50 chcon -t textrel_shlib_t /usr/lib/libavutil.so.49 chcon -t textrel_shlib_t /usr/lib/libavcodec.so.51 This also takes care of the problem with lame-3.96.1-10.rhfc5.at, libxvidcore4-1.1.0-8.rhfc5.at, libavformat50-0.4.9-14_cvs20060301.rhfc5.at, libavutil49-0.4.9-14_cvs20060301.rhfc5.at, and libavcodec51-0.4.9-14_cvs20060301.rhfc5.at. Regards, John -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list From kayvan at sylvan.com Fri Apr 28 02:19:21 2006 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Thu, 27 Apr 2006 19:19:21 -0700 Subject: dump/restore (or "star") and SELinux problems In-Reply-To: <1146156897.5238.64.camel@moss-spartans.epoch.ncsc.mil> References: <20060426211433.GH27244@satyr.sylvan.com> <1146156897.5238.64.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060428021921.GA11700@satyr.sylvan.com> On Thu, Apr 27, 2006 at 12:54:57PM -0400, Stephen Smalley wrote: > > Did you try following the instructions in the SELinux FAQ: > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2978236 > > In particular, using -xattr and -H=exustar options. -acl is specific to > POSIX ACLs I believe. I created the archive using the -xattr and -Hexustar options. With my system up, I can restore it to a different directory and the files are correctly labeled. However, booted into the FC5 rescue mode, I get the following message for every file: star: Can not setup security context for 'testfile'. Not created. The files end up looking like this afterwards: # ls -lZ -rw-r--r-- root root system_u:object_r:unlabeled_t testfile So, it looks as if using dump/restore or "star", I have the same inability to preserve security context. This is a practical problem for me since I am wanting to recreate my partitions using an LVM. Anyone have any other ideas? Thanks for all the help so far!!! ---Kayvan -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) From paul at city-fan.org Fri Apr 28 06:36:52 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 28 Apr 2006 07:36:52 +0100 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <200604272043.47835.st.gross@gmx.de> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <4450D883.3080507@city-fan.org> <200604272043.47835.st.gross@gmx.de> Message-ID: <1146206212.19610.16.camel@laurel.intra.city-fan.org> On Thu, 2006-04-27 at 20:43 +0200, Stephan Gro? wrote: > On Thursday 27 April 2006 16:43, Paul Howarth wrote: > > Tom Diehl wrote: > > > On Thu, 27 Apr 2006, Paul Howarth wrote: > > >> On Thu, 2006-04-27 at 08:58 +0200, Stephan Gro? wrote: > > >>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > > >>> > > >>> Hi, > > >>> > > >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as > > >>>> well as acroread: > > >>>> > > >>>> [klaus.steinberger at noname ~]$ acroread > > >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > > >>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > > >>>> cannot restore segment prot after reloc: Permission denied > > >>>> [klaus.steinberger at noname ~]$ > > >>> > > >>> after some googling I found following advice that worked for me to > > >>> enable acroread again: > > >>> > > >>> 1. Start "System" > "Administration" > "Security Level and Firewall" > > >>> 2. On the "SELinux" tab click on "Modify SELinux Policy > > > >>> Compatibility" 3. Tick the check box next to "Allow the use of shared > > >>> libraries with Text Relocation". > > >> > > >> A better fix is to label the acroread files correctly, which only > > >> "opens" the protection for acroread and not every process on the system: > > >> > > >> I believe you need: > > >> # chcon -t textrel_shlib_t \ > > >> /usr/lib/acroread/Reader/intellinux/lib/*.so \ > > >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > > >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api > > > > > > If I relabel as suggested above, what happens the next time the > > > filesystem is relabeled. If as I suspect they get relabeled back to the > > > previous settings, what is the correct way to make the changes permanent? > > > > It can be done using semanage to add new file context objects. However, > > I believe the required entries are *supposed* to be in the main policy > > package: > > > > # semanage fcontext -l | grep -Ei 'adobe|intellinux' > > /usr/(local/)?Adobe/.*\.api regular file > > system_u:object_r:texrel_shlib_t:s0 > > /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file > > system_u:object_r:texrel_shlib_t:s0 > > /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file > > system_u:object_r:textrel_shlib_t:s0 > > /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file > > system_u:object_r:texrel_shlib_t:s0 > > # rpm -q selinux-policy > > selinux-policy-2.2.34-3.fc5 > > > > If you have the latest policy and "restorecon -vR /path/to/acroread" > > doesn't set the right context, raise it here and mention which files > > aren't getting set to textrel_shlib_t. Hopefully it will get fixed so > > that this issue stops cropping up on fedora-list every day like it seems > > to at the moment. > > I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a > "restorecon -vR /usr/local/Adobe" results in > > "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different > specifications for /opt (system_u:object_r:home_root_t and > system_u:object_r:usr_t). > /etc/selinux/targeted/contexts/files/file_contexts: Multiple different > specifications for /opt (system_u:object_r:home_root_t and > system_u:object_r:usr_t)." Have you moved root's home directory from /root to somewhere under /opt? > and no file contexts changed. I am clueless about the details of selinux. Is > this a bug in the policy script or might this be a failure in my > installation. Don't know if it matters but I upgraded from FC4. I've upgraded too; it shouldn't matter. Paul. From ce at ruault.com Fri Apr 28 07:50:40 2006 From: ce at ruault.com (Charles-Edouard Ruault) Date: Fri, 28 Apr 2006 09:50:40 +0200 Subject: HOWTO: kdebluetooth with SELinux on FC5 Message-ID: <4451C950.5080108@ruault.com> Hi all, for those who are interested, after struggling to get kdebluetooth to work on my FC5 with SELinux targetted policy i've published a HOWTO at the following address: http://www.ruault.com/kdebluetooth/ Feel free to let me know if i've missed something or if it can be improved. Regards. -- Charles-Edouard Ruault GPG key Id E4D2B80C From tscherf at redhat.com Fri Apr 28 09:58:53 2006 From: tscherf at redhat.com (Thorsten Scherf) Date: Fri, 28 Apr 2006 11:58:53 +0200 Subject: HOWTO: kdebluetooth with SELinux on FC5 In-Reply-To: <4451C950.5080108@ruault.com> References: <4451C950.5080108@ruault.com> Message-ID: <1146218334.5503.49.camel@tiffy.tuxgeek.de> On Fri, 2006-04-28 at 09:50 +0200, Charles-Edouard Ruault wrote: > Hi all, > for those who are interested, after struggling to get kdebluetooth to > work on my FC5 with SELinux targetted policy i've published a HOWTO at > the following address: http://www.ruault.com/kdebluetooth/ > Feel free to let me know if i've missed something or if it can be improved. > Regards. 4) Configure selinux You need to download and install one of the following policy modules, depending on the pin helper you're going to use: * bluez-pin, source file here. <-- just a .te-file * kblupin, source file here. <-- just a .te-file Save the policy file and then as root, load it using the following command:semodule -i policyname.pp You can't load the source file as mentioned in your HOWTO. You have to rebuild a policy-package file and than use semodule -i file.pp to load it. -- Thorsten Scherf, RHCE, RHCA, RHCSS Mobile: ++49 172 61 32 548 Red Hat GLS EMEA Fax: ++49 2064 470 564 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part URL: From st.gross at gmx.de Fri Apr 28 10:15:07 2006 From: st.gross at gmx.de (Stephan =?iso-8859-15?q?Gro=DF?=) Date: Fri, 28 Apr 2006 12:15:07 +0200 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <1146206212.19610.16.camel@laurel.intra.city-fan.org> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604272043.47835.st.gross@gmx.de> <1146206212.19610.16.camel@laurel.intra.city-fan.org> Message-ID: <200604281215.09305.st.gross@gmx.de> On Friday 28 April 2006 08:36, Paul Howarth wrote: > On Thu, 2006-04-27 at 20:43 +0200, Stephan Gro? wrote: > > On Thursday 27 April 2006 16:43, Paul Howarth wrote: > > > Tom Diehl wrote: > > > > On Thu, 27 Apr 2006, Paul Howarth wrote: > > > >> On Thu, 2006-04-27 at 08:58 +0200, Stephan Gro? wrote: > > > >>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > > > >>> > > > >>> Hi, > > > >>> > > > >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, > > > >>>> as well as acroread: > > > >>>> > > > >>>> [klaus.steinberger at noname ~]$ acroread > > > >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while > > > >>>> loading shared libraries: > > > >>>> /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore > > > >>>> segment prot after reloc: Permission denied > > > >>>> [klaus.steinberger at noname ~]$ > > > >>> > > > >>> after some googling I found following advice that worked for me to > > > >>> enable acroread again: > > > >>> > > > >>> 1. Start "System" > "Administration" > "Security Level and > > > >>> Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > > > > >>> Compatibility" 3. Tick the check box next to "Allow the use of > > > >>> shared libraries with Text Relocation". > > > >> > > > >> A better fix is to label the acroread files correctly, which only > > > >> "opens" the protection for acroread and not every process on the > > > >> system: > > > >> > > > >> I believe you need: > > > >> # chcon -t textrel_shlib_t \ > > > >> /usr/lib/acroread/Reader/intellinux/lib/*.so \ > > > >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > > > >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api > > > > > > > > If I relabel as suggested above, what happens the next time the > > > > filesystem is relabeled. If as I suspect they get relabeled back to > > > > the previous settings, what is the correct way to make the changes > > > > permanent? > > > > > > It can be done using semanage to add new file context objects. However, > > > I believe the required entries are *supposed* to be in the main policy > > > package: > > > > > > # semanage fcontext -l | grep -Ei 'adobe|intellinux' > > > /usr/(local/)?Adobe/.*\.api regular file > > > system_u:object_r:texrel_shlib_t:s0 > > > /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file > > > system_u:object_r:texrel_shlib_t:s0 > > > /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file > > > system_u:object_r:textrel_shlib_t:s0 > > > /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file > > > system_u:object_r:texrel_shlib_t:s0 > > > # rpm -q selinux-policy > > > selinux-policy-2.2.34-3.fc5 > > > > > > If you have the latest policy and "restorecon -vR /path/to/acroread" > > > doesn't set the right context, raise it here and mention which files > > > aren't getting set to textrel_shlib_t. Hopefully it will get fixed so > > > that this issue stops cropping up on fedora-list every day like it > > > seems to at the moment. > > > > I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. > > However, a "restorecon -vR /usr/local/Adobe" results in > > > > "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different > > specifications for /opt (system_u:object_r:home_root_t and > > system_u:object_r:usr_t). > > /etc/selinux/targeted/contexts/files/file_contexts: Multiple different > > specifications for /opt (system_u:object_r:home_root_t and > > system_u:object_r:usr_t)." > > Have you moved root's home directory from /root to somewhere under /opt? No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the german answer to MS Encarte) installed that registers a user bmm having its home directory in /opt/bmm. However, I just checked that /opt is of type home_root_t and all of its subdirectories are of type user_home_dir_t. Should I change any of these settings? Stephan. From paul at city-fan.org Fri Apr 28 10:22:32 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 28 Apr 2006 11:22:32 +0100 Subject: FC5: Problem with acroread and CISCO VPN In-Reply-To: <200604281215.09305.st.gross@gmx.de> References: <200604270739.27984.Klaus.Steinberger@physik.uni-muenchen.de> <200604272043.47835.st.gross@gmx.de> <1146206212.19610.16.camel@laurel.intra.city-fan.org> <200604281215.09305.st.gross@gmx.de> Message-ID: <4451ECE8.9080804@city-fan.org> Stephan Gro? wrote: > On Friday 28 April 2006 08:36, Paul Howarth wrote: >> On Thu, 2006-04-27 at 20:43 +0200, Stephan Gro? wrote: >>> On Thursday 27 April 2006 16:43, Paul Howarth wrote: >>>> Tom Diehl wrote: >>>>> On Thu, 27 Apr 2006, Paul Howarth wrote: >>>>>> On Thu, 2006-04-27 at 08:58 +0200, Stephan Gro? wrote: >>>>>>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, >>>>>>>> as well as acroread: >>>>>>>> >>>>>>>> [klaus.steinberger at noname ~]$ acroread >>>>>>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while >>>>>>>> loading shared libraries: >>>>>>>> /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore >>>>>>>> segment prot after reloc: Permission denied >>>>>>>> [klaus.steinberger at noname ~]$ >>>>>>> after some googling I found following advice that worked for me to >>>>>>> enable acroread again: >>>>>>> >>>>>>> 1. Start "System" > "Administration" > "Security Level and >>>>>>> Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > >>>>>>> Compatibility" 3. Tick the check box next to "Allow the use of >>>>>>> shared libraries with Text Relocation". >>>>>> A better fix is to label the acroread files correctly, which only >>>>>> "opens" the protection for acroread and not every process on the >>>>>> system: >>>>>> >>>>>> I believe you need: >>>>>> # chcon -t textrel_shlib_t \ >>>>>> /usr/lib/acroread/Reader/intellinux/lib/*.so \ >>>>>> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ >>>>>> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api >>>>> If I relabel as suggested above, what happens the next time the >>>>> filesystem is relabeled. If as I suspect they get relabeled back to >>>>> the previous settings, what is the correct way to make the changes >>>>> permanent? >>>> It can be done using semanage to add new file context objects. However, >>>> I believe the required entries are *supposed* to be in the main policy >>>> package: >>>> >>>> # semanage fcontext -l | grep -Ei 'adobe|intellinux' >>>> /usr/(local/)?Adobe/.*\.api regular file >>>> system_u:object_r:texrel_shlib_t:s0 >>>> /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file >>>> system_u:object_r:texrel_shlib_t:s0 >>>> /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file >>>> system_u:object_r:textrel_shlib_t:s0 >>>> /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file >>>> system_u:object_r:texrel_shlib_t:s0 >>>> # rpm -q selinux-policy >>>> selinux-policy-2.2.34-3.fc5 >>>> >>>> If you have the latest policy and "restorecon -vR /path/to/acroread" >>>> doesn't set the right context, raise it here and mention which files >>>> aren't getting set to textrel_shlib_t. Hopefully it will get fixed so >>>> that this issue stops cropping up on fedora-list every day like it >>>> seems to at the moment. >>> I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. >>> However, a "restorecon -vR /usr/local/Adobe" results in >>> >>> "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different >>> specifications for /opt (system_u:object_r:home_root_t and >>> system_u:object_r:usr_t). >>> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different >>> specifications for /opt (system_u:object_r:home_root_t and >>> system_u:object_r:usr_t)." >> Have you moved root's home directory from /root to somewhere under /opt? > > No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the > german answer to MS Encarte) installed that registers a user bmm having its > home directory in /opt/bmm. However, I just checked that /opt is of type > home_root_t and all of its subdirectories are of type user_home_dir_t. Should > I change any of these settings? Moving its home directory to somewhere under /home might help. Paul. From sds at tycho.nsa.gov Fri Apr 28 11:37:14 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 28 Apr 2006 07:37:14 -0400 Subject: dump/restore (or "star") and SELinux problems In-Reply-To: <20060428021921.GA11700@satyr.sylvan.com> References: <20060426211433.GH27244@satyr.sylvan.com> <1146156897.5238.64.camel@moss-spartans.epoch.ncsc.mil> <20060428021921.GA11700@satyr.sylvan.com> Message-ID: <1146224234.11817.10.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-04-27 at 19:19 -0700, Kayvan A. Sylvan wrote: > On Thu, Apr 27, 2006 at 12:54:57PM -0400, Stephen Smalley wrote: > > > > Did you try following the instructions in the SELinux FAQ: > > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2978236 > > > > In particular, using -xattr and -H=exustar options. -acl is specific to > > POSIX ACLs I believe. > > I created the archive using the -xattr and -Hexustar options. With my > system up, I can restore it to a different directory and the files > are correctly labeled. > > However, booted into the FC5 rescue mode, I get the following message for > every file: > > star: Can not setup security context for 'testfile'. Not created. > > The files end up looking like this afterwards: > > # ls -lZ > -rw-r--r-- root root system_u:object_r:unlabeled_t testfile > > So, it looks as if using dump/restore or "star", I have the same > inability to preserve security context. This is a practical problem for > me since I am wanting to recreate my partitions using an LVM. > > Anyone have any other ideas? > > Thanks for all the help so far!!! Can you add a comment to the existing bugzilla report for dump/restore, and add a new bug for star with this information, please? Thanks. -- Stephen Smalley National Security Agency From ce at ruault.com Fri Apr 28 12:48:22 2006 From: ce at ruault.com (Charles-Edouard Ruault) Date: Fri, 28 Apr 2006 14:48:22 +0200 Subject: HOWTO: kdebluetooth with SELinux on FC5 In-Reply-To: <1146218334.5503.49.camel@tiffy.tuxgeek.de> References: <4451C950.5080108@ruault.com> <1146218334.5503.49.camel@tiffy.tuxgeek.de> Message-ID: <44520F16.3080202@ruault.com> Thorsten Scherf wrote: > On Fri, 2006-04-28 at 09:50 +0200, Charles-Edouard Ruault wrote: > >> Hi all, >> for those who are interested, after struggling to get kdebluetooth to >> work on my FC5 with SELinux targetted policy i've published a HOWTO at >> the following address: http://www.ruault.com/kdebluetooth/ >> Feel free to let me know if i've missed something or if it can be improved. >> Regards. >> > > 4) Configure selinux You need to download and install one of the > following policy modules, depending on the pin helper you're going to > use: > > * bluez-pin, source file here. <-- just a .te-file > * kblupin, source file here. <-- just a .te-file > Save the policy file and then as root, load it using the following > command:semodule -i policyname.pp > > You can't load the source file as mentioned in your HOWTO. You have to > rebuild a policy-package file and than use semodule -i file.pp to load > it. > > Hi Thorsten, thanks for the feedback. I guess the text is not clear enough :( If you click on the 'here' link , you get the source file ( .te ) and you have to compile it as explained in the document ( a little bit below ). If you click on the 'bluez-pin' or 'kbluepin' link then you get the .pp which can be loaded as stated with semodule -i file.pp . I'll try to make it clearer .... -- Charles-Edouard Ruault GPG key Id E4D2B80C From tonynelson at georgeanelson.com Fri Apr 28 13:48:15 2006 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Fri, 28 Apr 2006 09:48:15 -0400 Subject: dump/restore (or "star") and SELinux problems In-Reply-To: <1146224234.11817.10.camel@moss-spartans.epoch.ncsc.mil> References: <20060428021921.GA11700@satyr.sylvan.com> <20060426211433.GH27244@satyr.sylvan.com> <1146156897.5238.64.camel@moss-spartans.epoch.ncsc.mil> <20060428021921.GA11700@satyr.sylvan.com> Message-ID: At 7:37 AM -0400 4/28/06, Stephen Smalley wrote: >On Thu, 2006-04-27 at 19:19 -0700, Kayvan A. Sylvan wrote: >> On Thu, Apr 27, 2006 at 12:54:57PM -0400, Stephen Smalley wrote: >> > >> > Did you try following the instructions in the SELinux FAQ: >> > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2978236 >> > >> > In particular, using -xattr and -H=exustar options. -acl is specific to >> > POSIX ACLs I believe. >> >> I created the archive using the -xattr and -Hexustar options. With my >> system up, I can restore it to a different directory and the files >> are correctly labeled. >> >> However, booted into the FC5 rescue mode, I get the following message for >> every file: >> >> star: Can not setup security context for 'testfile'. Not created. >> >> The files end up looking like this afterwards: >> >> # ls -lZ >> -rw-r--r-- root root system_u:object_r:unlabeled_t testfile >> >> So, it looks as if using dump/restore or "star", I have the same >> inability to preserve security context. This is a practical problem for >> me since I am wanting to recreate my partitions using an LVM. >> >> Anyone have any other ideas? >> >> Thanks for all the help so far!!! > >Can you add a comment to the existing bugzilla report for dump/restore, >and add a new bug for star with this information, please? Thanks. BTW, the dump bug is bug #189845 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189845 ____________________________________________________________________ TonyN.:' ' From paul at city-fan.org Fri Apr 28 15:54:27 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 28 Apr 2006 16:54:27 +0100 Subject: Add SELinux protection to Pure-FTPd In-Reply-To: References: <1145023318.17185.12.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <44523AB3.2050507@city-fan.org> Aurelien Bompard wrote: > Stephen Smalley wrote: >> policy_module(pureftpd, 1.0) is preferred syntax going forward. >> If you use policy_module() macro, you'll get the kernel class and >> permission requires as part of it, so you won't need to explicitly >> specify them each time. > > Yay ! Done that. > >> Does it truly need write access? The library always tries to open rw >> first, then falls back to read-only if it cannot open rw, so even just >> reading utmp will show up in avc messages as a rw attempt. Try just >> allowing read, and dontaudit'ing the write permission. > > That's right, it only needs read access. I've added: > init_read_utmp(ftpd_t) > init_dontaudit_write_utmp(ftpd_t) > to the module (picked from the policy sources) > >> Macros aka interfaces are preferred, as they preserve >> modularity/encapsulation and thus make your module more portable to >> other base policies. > > OK. I'll use sysnet_use_ldap to allow LDAP access then. > >> I don't think you want to put it in /usr/share/selinux/targeted (as that >> could conflict in the future with the policy package), but I would >> suggest putting it under /usr/share/selinux/ or similar to >> keep all policy modules under that selinux tree, unless that also >> presents some kind of conflict problem? > > Looks good to me, except I've placed it > in /usr/share/selinux/packages/ to avoid the base and targeted > dirs being buried under a ton of packages dirs in the future. I've been trying to take this sort of approach with a package I'm developing. Two issues concern me at the moment: 1. I build the policy module from te/fc/if files during the package's "build" script. I get output like this: + /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile make: Entering directory `/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux' Compiling targeted contagged module /usr/bin/checkmodule: loading policy configuration from tmp/contagged.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/contagged.mod Creating targeted contagged.pp policy package make: Leaving directory `/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux' This suggests to me that the resulting contagged.pp module is specific to the targeted policy (which I'm running on the host system), so it would presumably not work with other policies. Is that right? So would it be better to build and install the policy at package install time rather than package build time? Or could there be separate modules for each policy? If so, how would they be built? 2. A mock build fails, presumably because mock does not mount /selinux? + /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile cat: /selinux/mls: No such file or directory make: Entering directory `/builddir/build/BUILD/contagged-0.3/SELinux' /usr/share/selinux/devel/Makefile:14: /usr/share/selinux/targeted/include/Makefile: No such file or directory make: *** No rule to make target `/usr/share/selinux/targeted/include/Makefile'. Stop. make: Leaving directory `/builddir/build/BUILD/contagged-0.3/SELinux' error: Bad exit status from /var/tmp/rpm-tmp.42152 (%build) This also suggests that install-time module building is needed, at least for anything intending to go into Fedora Extras, where mock is used for the buildsystem. I guess that would present a problem if the admin of the system wanted to change to a different policy - the module would have to be rebuilt somehow. Paul. From jin.kee at gmail.com Fri Apr 28 16:43:36 2006 From: jin.kee at gmail.com (Jin Kee) Date: Sat, 29 Apr 2006 02:43:36 +1000 Subject: selinux-policy-targeted.noarch 1.27.1-2.28 on fc4 CGI.pm parameters passing problem (2.6.15-1.1833_FC4) Message-ID: <4e96f9dd0604280943o3ac30166u68d4d802b797516a@mail.gmail.com> Dear All, Is this the right list for this question? I just yumed from selinux-policy-targeted.noarch 1.27.1-2.22 to selinux-policy-targeted.noarch 1.27.1-2.28 last night and now my cgi scripts in perl can't find the parameters passed to them from forms. I made a test script which submits a form and then goes print param('foo') inside the returning html document, but all I see are my scaffolding lines that tell me that the script has loaded, has rendered html and then is about to finish. when I run the same script as root from the command line it prints the html and the correct value of 'foo'. Before the update, I had altered my selinux policies to make httpd listen on a higher port, but that is the only change I made. eg #vi /etc/selinux/targeted/src/policy/net_contexts: portcon tcp 8090 system_u:object_r:http_port_t # make -C /etc/selinux/targeted/src/policy reload That's the only change I'm running Linux localhost.localdomain 2.6.15-1.1833_FC4 #1 Wed Mar 1 23:41:37 EST 2006 i686 athlon i386 GNU/Linux This is perl, v5.8.8 built for i686-linux $CGI::revision = '$Id: CGI.pm,v 1.194 2005/12/06 22:12:56 lstein Exp $'; $CGI::VERSION='3.15'; The perl scripts worked yesterday. Any body else having this problem? Thanks Jin From rdieter at math.unl.edu Fri Apr 28 17:17:07 2006 From: rdieter at math.unl.edu (Rex Dieter) Date: Fri, 28 Apr 2006 12:17:07 -0500 Subject: HOWTO: kdebluetooth with SELinux on FC5 In-Reply-To: <4451C950.5080108@ruault.com> References: <4451C950.5080108@ruault.com> Message-ID: Charles-Edouard Ruault wrote: > Hi all, > for those who are interested, after struggling to get kdebluetooth to > work on my FC5 with SELinux targetted policy i've published a HOWTO at > the following address: http://www.ruault.com/kdebluetooth/ > Feel free to let me know if i've missed something or if it can be improved. > Regards. Is this something that could be added to the kdebluetooth FE submission rpm? (http://bugzilla.redhat.com/bugzilla/186452) -- Rex From st.gross at gmx.de Fri Apr 28 18:49:54 2006 From: st.gross at gmx.de (Stephan =?iso-8859-15?q?Gro=DF?=) Date: Fri, 28 Apr 2006 20:49:54 +0200 Subject: HOWTO: kdebluetooth with SELinux on FC5 In-Reply-To: References: <4451C950.5080108@ruault.com> Message-ID: <200604282049.57399.st.gross@gmx.de> On Friday 28 April 2006 19:17, Rex Dieter wrote: > Charles-Edouard Ruault wrote: > > Hi all, > > for those who are interested, after struggling to get kdebluetooth to > > work on my FC5 with SELinux targetted policy i've published a HOWTO at > > the following address: http://www.ruault.com/kdebluetooth/ > > Feel free to let me know if i've missed something or if it can be > > improved. Regards. > > Is this something that could be added to the kdebluetooth FE submission > rpm? (http://bugzilla.redhat.com/bugzilla/186452) Is there an "estimated date of arrival" when the package will be published in Fedora Extras? Stephan. From sundaram at fedoraproject.org Fri Apr 28 19:50:03 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sat, 29 Apr 2006 01:20:03 +0530 Subject: HOWTO: kdebluetooth with SELinux on FC5 In-Reply-To: <200604282049.57399.st.gross@gmx.de> References: <4451C950.5080108@ruault.com> <200604282049.57399.st.gross@gmx.de> Message-ID: <1146253803.3802.46.camel@sundaram.pnq.redhat.com> On Fri, 2006-04-28 at 20:49 +0200, Stephan Gro? wrote: > On Friday 28 April 2006 19:17, Rex Dieter wrote: > > Charles-Edouard Ruault wrote: > > > Hi all, > > > for those who are interested, after struggling to get kdebluetooth to > > > work on my FC5 with SELinux targetted policy i've published a HOWTO at > > > the following address: http://www.ruault.com/kdebluetooth/ > > > Feel free to let me know if i've missed something or if it can be > > > improved. Regards. > > > > Is this something that could be added to the kdebluetooth FE submission > > rpm? (http://bugzilla.redhat.com/bugzilla/186452) > > Is there an "estimated date of arrival" when the package will be published in > Fedora Extras? Not really. You can help by reviewing it against the packaging guidelines (http://fedoraproject.org/wiki/Packaging/Guidelines) but it depends on the queue and amount of help we can get. Rahul From scottt.tw at gmail.com Sat Apr 29 16:36:59 2006 From: scottt.tw at gmail.com (Scott Tsai) Date: Sun, 30 Apr 2006 00:36:59 +0800 Subject: samba selinux adding new PC to domain References: <444F82D8.1040003@city-fan.org> <1365.24.2.210.202.1146072841.squirrel@mail.eastgranby.k12.ct.us> Message-ID: On Wed, 26 Apr 2006 13:34:01 -0400, mroselinux wrote: > How can I always leave enforcing on? You could create a local policy module to grant useradd the additional permisions. 1. Create a file t.log with the relevant avc messages. cat <<-EOF > t.log audit(1145984005.084:160): avc: denied { append } for pid=24952 comm="useradd" name="log.mslib2k10w" dev=dm-0 ino=8674237 scontext=root:system_r:useradd_t:s0 tcontext=root:object_r:samba_log_t:s0 tclass=file audit(1145984005.088:162): avc: denied { read write } for pid=24952 comm="useradd" name="passwd" dev=dm-0 ino=1964129 scontext=root:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file EOF 2. Build a selinux policy module with audit2allow audit2allow -M local_samba_useradd -i t.log 3. Load the policy module into the kernel semodule -i local_samba_useradd.pp 4. If you want to keep this setting across reboot, I guess you'll have to put the "semodule -i" line into /etc/rc.d/rc.local ? I'm a bit suspicious about why the "passwd" file was labeled "etc_runtime_t" in the first place. See Also: http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow