From cfzeitler at yahoo.com Tue Aug 1 00:27:45 2006 From: cfzeitler at yahoo.com (charles f. zeitler) Date: Mon, 31 Jul 2006 17:27:45 -0700 (PDT) Subject: drives that fail to mount on boot Message-ID: <20060801002745.3919.qmail@web82501.mail.mud.yahoo.com> i have a couple of drives that dont mount on boot, but do mount with mount -a. in fstab: /dev/hdb1 /home/fedora/music ext3 defaults 1 2 /dev/hdd1 /home/fedora/torrents_isos ext3 defaults 1 2 and in 'messages': Jul 31 18:16:22 localhost kernel: audit(1154387748.987:339): avc: denied { mounton } for pid=1213 comm="mount" name="music" dev=hda11 ino=15958135 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir Jul 31 18:16:22 localhost kernel: audit(1154387748.987:340): avc: denied { mounton } for pid=1213 comm="mount" name="music" dev=hda11 ino=15958135 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir Jul 31 18:16:22 localhost kernel: audit(1154387748.987:341): avc: denied { mounton } for pid=1213 comm="mount" name="torrents_isos" dev=hda11 ino=15958071 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir Jul 31 18:16:22 localhost kernel: audit(1154387748.987:342): avc: denied { mounton } for pid=1213 comm="mount" name="torrents_isos" dev=hda11 ino=15958071 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir any help appreciated charles zeitler : Do What Thou Wilt : : Shall Be : : The Whole of The Law : From Axel.Thimm at ATrpms.net Tue Aug 1 05:05:48 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Tue, 1 Aug 2006 07:05:48 +0200 Subject: hotplug_t? In-Reply-To: <1154354716.1447.34.camel@moss-spartans.epoch.ncsc.mil> References: <20060731135445.GP19516@neu.nirvana> <1154354716.1447.34.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060801050548.GS19516@neu.nirvana> On Mon, Jul 31, 2006 at 10:05:16AM -0400, Stephen Smalley wrote: > On Mon, 2006-07-31 at 15:54 +0200, Axel Thimm wrote: > > Hi, > > > > after upgrading FC4 to FC5 and enabling selinux/targeted/permissive I > > see lot's of hotplug_t domains. Most prominently every bash login and > > the default ssh -l root domains (before newrole) are such. This > > doesn't look right, did the upgrade go wrong somewhere? > > Presumably, as that definitely isn't correct. > > /usr/sbin/sestatus -v > # id -Z root:system_r:hotplug_t:SystemLow-SystemHigh # /usr/sbin/sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 20 Policy from config file: targeted Process contexts: Current context: root:system_r:hotplug_t:SystemLow-SystemHigh Init context: system_u:system_r:init_t /sbin/mingetty system_u:system_r:kernel_t /usr/sbin/sshd system_u:system_r:kernel_t File contexts: Controlling term: root:object_r:devpts_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:login_exec_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:getty_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:getty_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From Axel.Thimm at ATrpms.net Tue Aug 1 05:10:15 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Tue, 1 Aug 2006 07:10:15 +0200 Subject: hotplug_t? In-Reply-To: <44CE16A6.4050305@redhat.com> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> Message-ID: <20060801051015.GT19516@neu.nirvana> On Mon, Jul 31, 2006 at 10:41:42AM -0400, Daniel J Walsh wrote: > Axel Thimm wrote: > >Hi, > > > >after upgrading FC4 to FC5 and enabling selinux/targeted/permissive I > >see lot's of hotplug_t domains. Most prominently every bash login and > >the default ssh -l root domains (before newrole) are such. This > >doesn't look right, did the upgrade go wrong somewhere? > > > >Thanks! > > > Sounds like you have a major labeling problem. touch /.autorelabel; reboot As said I cannot put the system off-line for several hours and the last relabeling took about 5-6h. But the relabeling was done according to /etc/rc.sysinit, only manually. E.g. I rm'd /.autorelabel, rebooted and called /sbin/fixfiles restore The following is also returning an empty output: # ls -Z {,/usr}/*bin/*| grep hotplug_t Where else could I look? -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From paul at city-fan.org Tue Aug 1 07:26:05 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 01 Aug 2006 08:26:05 +0100 Subject: drives that fail to mount on boot In-Reply-To: <20060801002745.3919.qmail@web82501.mail.mud.yahoo.com> References: <20060801002745.3919.qmail@web82501.mail.mud.yahoo.com> Message-ID: <1154417165.18934.2.camel@laurel.intra.city-fan.org> On Mon, 2006-07-31 at 17:27 -0700, charles f. zeitler wrote: > i have a couple of drives > that dont mount on boot, > but do mount with mount -a. > > in fstab: > > /dev/hdb1 /home/fedora/music ext3 > defaults 1 2 > /dev/hdd1 /home/fedora/torrents_isos > ext3 defaults 1 2 > > and in 'messages': > > Jul 31 18:16:22 localhost kernel: > audit(1154387748.987:339): avc: denied { mounton } > for pid=1213 comm="mount" name="music" dev=hda11 > ino=15958135 scontext=system_u:system_r:mount_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > Jul 31 18:16:22 localhost kernel: > audit(1154387748.987:340): avc: denied { mounton } > for pid=1213 comm="mount" name="music" dev=hda11 > ino=15958135 scontext=system_u:system_r:mount_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > Jul 31 18:16:22 localhost kernel: > audit(1154387748.987:341): avc: denied { mounton } > for pid=1213 comm="mount" name="torrents_isos" > dev=hda11 ino=15958071 > scontext=system_u:system_r:mount_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > Jul 31 18:16:22 localhost kernel: > audit(1154387748.987:342): avc: denied { mounton } > for pid=1213 comm="mount" name="torrents_isos" > dev=hda11 ino=15958071 > scontext=system_u:system_r:mount_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > > > any help appreciated Unmount the filesystems, then: # chcon -t mnt_t /home/fedora/{music,torrents_isos} Then try: # service netfs start This will attempt to mount the filesystems in the same way as at boot time (you might want to try this before doing the "chcon" to verify this for yourself). Paul. From paul at city-fan.org Tue Aug 1 07:46:44 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 01 Aug 2006 08:46:44 +0100 Subject: selinux-policy-2.3.3-8.fc5 Message-ID: <1154418404.18934.13.camel@laurel.intra.city-fan.org> ... includes this changelog entry: * Tue Jun 20 2006 Dan Walsh 2.2.47-5 - Break out selinux-devel package but sadly it's not true :-( Paul. From sds at tycho.nsa.gov Tue Aug 1 12:48:41 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 Aug 2006 08:48:41 -0400 Subject: hotplug_t? In-Reply-To: <20060801051015.GT19516@neu.nirvana> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> Message-ID: <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-08-01 at 07:10 +0200, Axel Thimm wrote: > On Mon, Jul 31, 2006 at 10:41:42AM -0400, Daniel J Walsh wrote: > > Axel Thimm wrote: > > >Hi, > > > > > >after upgrading FC4 to FC5 and enabling selinux/targeted/permissive I > > >see lot's of hotplug_t domains. Most prominently every bash login and > > >the default ssh -l root domains (before newrole) are such. This > > >doesn't look right, did the upgrade go wrong somewhere? > > > > > >Thanks! > > > > > Sounds like you have a major labeling problem. touch /.autorelabel; reboot > > As said I cannot put the system off-line for several hours and the > last relabeling took about 5-6h. > > But the relabeling was done according to /etc/rc.sysinit, only > manually. E.g. I rm'd /.autorelabel, rebooted and called > /sbin/fixfiles restore > > The following is also returning an empty output: > > # ls -Z {,/usr}/*bin/*| grep hotplug_t hotplug_t is the domain of the process, whereas the executable file would have hotplug_exec_t. -- Stephen Smalley National Security Agency From paul at city-fan.org Tue Aug 1 12:49:24 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 01 Aug 2006 13:49:24 +0100 Subject: Policy Module Packaging Guidelines (first draft) In-Reply-To: <44CE3B72.4010605@kobold.org> References: <44CE2CB3.7070509@city-fan.org> <44CE3B72.4010605@kobold.org> Message-ID: <44CF4DD4.7020500@city-fan.org> Wart wrote: > Paul Howarth wrote: >> I've written up my thoughts on packaging policy modules with applications: >> >> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules >> >> Fire away! > > Looks good! > > * s/scrope/scope/ Kindly fixed by Matthew yesterday. > * In the 'separate subpackage' section do you want to add a note about > making the -selinux subpackage an entirely new package with its own > specfile, instead of a subpackage in an existing spec file? > > Advantages: > > Keeps the spec files much simpler and easier to read. > Allows for separate maintainers of the main and -selinux packages. > selinux packages can be updated without pushing new builds of the main > package > > Disadvantages: > > Care must be taken to make sure that the selinux package is updated with > the main package as needed. > What value should be given for the URL and License tags in the spec file? I think this idea merits some discussion. I tend of think of policy modules as being rather like kernel modules, in that they're things that are useful and usable whilst still under development but that ideally should eventually become unnecessary because they get merged into the main upstream project. So a separate package should be a short-lived package really. I see the merits of having a separate package but I'd be in favour of such packages having to be justified as per kernel modules, along with a roadmap for an upstream merge. > * I like the inclusion of the source files in %doc. That can be > extremely useful. > > * You should note that you can't use 'service myapp condrestart' in > %postun to transition a daemon process back to the unconfined domain > after the module has been unloaded. You have to first transition the > daemon domain, then remove the policy module. Otherwise the process > will end up in an odd state and can't be killed until selinux is disabled: > > %postun selinux > /usr/sbin/setsebool %{name}_disable_trans 1 > /sbin/service %{name} condrestart > /dev/null 2>&1 || : > for selinuxvariant in %{selinux_variants} ; do > /usr/sbin/semodule -s ${selinuxvariant} -r mymodule &> /dev/null > || : > done Note added. > * How should the selinux policy module be versioned? Should it match > the application versioning? Are there any restrictions on policy module > version numbers? I don't think that policy numbers need bear any resemblance to the main package version; I've added a note to that effect. I'm not sure what the actual restrictions are on numbering, e.g whether any characters not in the class [0-9.] are allowed. > * Using %{name} instead of 'myapp' in the templates would make it easier > to copy/paste them into existing packages I don't think "myapp" appears anywhere where it wouldn't be completely replaced in the template, so I don't think changing it to %{name} would be useful. However, the module name "mymodule" appears in a way that is very generic, so I added a define of %{modulename} at the top of the template and replaced "mymodule" with "%{modulename}" everywhere. > * Don't you want to call 'fixfiles -R' in the %post and %postun sections > of the sample templates? You included it in the scriptlets section above. I did, but I think the scriptlet code is likely to be so different for different packages that I didn't want to include too much in there on the basis that some people might just cut-and-paste things that aren't necessary. How about I use "restorecon" in one of the templates and "fixfiles" in the other, in order to illustrate that there's no one "right" way of doing it? Paul. From Axel.Thimm at ATrpms.net Tue Aug 1 12:51:42 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Tue, 1 Aug 2006 14:51:42 +0200 Subject: hotplug_t? In-Reply-To: <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060801125142.GE6313@neu.nirvana> On Tue, Aug 01, 2006 at 08:48:41AM -0400, Stephen Smalley wrote: > On Tue, 2006-08-01 at 07:10 +0200, Axel Thimm wrote: > > On Mon, Jul 31, 2006 at 10:41:42AM -0400, Daniel J Walsh wrote: > > > Axel Thimm wrote: > > > >Hi, > > > > > > > >after upgrading FC4 to FC5 and enabling selinux/targeted/permissive I > > > >see lot's of hotplug_t domains. Most prominently every bash login and > > > >the default ssh -l root domains (before newrole) are such. This > > > >doesn't look right, did the upgrade go wrong somewhere? > > > > > > > >Thanks! > > > > > > > Sounds like you have a major labeling problem. touch /.autorelabel; reboot > > > > As said I cannot put the system off-line for several hours and the > > last relabeling took about 5-6h. > > > > But the relabeling was done according to /etc/rc.sysinit, only > > manually. E.g. I rm'd /.autorelabel, rebooted and called > > /sbin/fixfiles restore > > > > The following is also returning an empty output: > > > > # ls -Z {,/usr}/*bin/*| grep hotplug_t > > hotplug_t is the domain of the process, whereas the executable file > would have hotplug_exec_t. > Does the following output help? Looks like anything called from sshd gets into hotplug_t. The main sshd process runs under system_u:system_r:kernel_t. Thanks! # ps uaxwwZf|grep -1 hotplug system_u:system_r:kernel_t root 4469 0.0 0.1 8140 2848 ? Ss Jul30 0:01 \_ sshd: root at pts/0 root:system_r:hotplug_t:SystemLow-SystemHigh root 4511 0.0 0.1 5464 2308 pts/0 Ss Jul30 0:00 | \_ -bash root:system_r:hotplug_t:SystemLow-SystemHigh root 27711 0.0 0.0 4464 1032 pts/0 S Jul31 0:00 | \_ newrole -t unconfined_t root:system_r:unconfined_t:SystemLow-SystemHigh root 27740 0.0 0.1 5468 2264 pts/0 S+ Jul31 0:00 | \_ /bin/bash system_u:system_r:kernel_t root 5438 0.0 0.1 8364 3172 ? Ss Jul31 0:00 \_ sshd: root at pts/1 root:system_r:hotplug_t:SystemLow-SystemHigh root 5461 0.0 0.1 5468 2320 pts/1 Ss Jul31 0:00 | \_ -bash root:system_r:hotplug_t:SystemLow-SystemHigh root 20352 0.0 0.0 4860 1344 pts/1 R+ 14:48 0:00 | \_ ps uaxwwZf root:system_r:hotplug_t:SystemLow-SystemHigh root 20353 0.0 0.0 4156 688 pts/1 S+ 14:48 0:00 | \_ grep -1 hotplug system_u:system_r:kernel_t root 21263 0.0 0.1 7876 2688 ? Ss Jul31 0:00 \_ sshd: christin [priv] system_u:system_r:kernel_t christin 21285 0.0 0.0 8168 2060 ? S Jul31 0:00 | \_ sshd: christin at pts/2 user_u:system_r:hotplug_t christin 21286 0.0 0.1 6732 2928 pts/2 Ss+ Jul31 0:00 | \_ -tcsh system_u:system_r:kernel_t root 20327 0.5 0.1 7876 2468 ? Ss 14:48 0:00 \_ sshd: glaweh [priv] system_u:system_r:kernel_t glaweh 20332 2.0 0.1 8008 2228 ? S 14:48 0:00 \_ sshd: glaweh at notty user_u:system_r:hotplug_t glaweh 20341 3.0 0.1 7056 2676 ? Ss 14:48 0:00 \_ /usr/libexec/dovecot/imap system_u:system_r:kernel_t root 2962 0.0 0.0 2228 884 ? Ss Jul30 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid -- root:system_r:spamd_t:SystemLow-SystemHigh root 17359 1.4 1.9 46480 40212 ? S 14:40 0:07 \_ spamd child user_u:system_r:hotplug_t christin 21332 0.0 0.0 4848 592 pts/2 S Jul31 0:00 /bin/sh /home/christin/bin/boxes user_u:system_r:hotplug_t christin 21333 0.0 0.0 4036 1904 pts/2 SN Jul31 0:00 \_ xbuffy -bg rgb:90/80/90 -fg black -boxfile /home/christin/.xbuffyrc root:system_r:spamd_t:SystemLow-SystemHigh root 26331 0.0 0.0 2492 216 ? Ss Jul31 0:00 /usr/libexec/dcc/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sds at tycho.nsa.gov Tue Aug 1 13:08:37 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 Aug 2006 09:08:37 -0400 Subject: hotplug_t? In-Reply-To: <20060801050548.GS19516@neu.nirvana> References: <20060731135445.GP19516@neu.nirvana> <1154354716.1447.34.camel@moss-spartans.epoch.ncsc.mil> <20060801050548.GS19516@neu.nirvana> Message-ID: <1154437717.3582.67.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-08-01 at 07:05 +0200, Axel Thimm wrote: > Process contexts: > Current context: root:system_r:hotplug_t:SystemLow-SystemHigh > Init context: system_u:system_r:init_t > /sbin/mingetty system_u:system_r:kernel_t > /usr/sbin/sshd system_u:system_r:kernel_t That's puzzling; init is in the correct domain (init_t) but mingetty and sshd are in kernel_t rather than getty_t init starts life in kernel_t, then re-execs into init_t after loading policy, then performs normal startup. But there are no transitions back into kernel_t. And the files appear to have the right contexts. rpm -q selinux-policy-targeted SysVinit rpm -V selinux-policy-targeted /usr/sbin/semodule -l cmp /etc/selinux/targeted/modules/active/policy.kern /etc/selinux/targeted/policy/policy.20 -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Aug 1 13:16:04 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 Aug 2006 09:16:04 -0400 Subject: hotplug_t? In-Reply-To: <20060801125142.GE6313@neu.nirvana> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> <20060801125142.GE6313@neu.nirvana> Message-ID: <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote: > Does the following output help? Looks like anything called from sshd > gets into hotplug_t. The main sshd process runs under > system_u:system_r:kernel_t. sshd running in kernel_t is the problem; that should never happen (init transitions to init_t, then everything flows from it; nothing should ever transition back into kernel_t). Only kernel threads should have kernel_t (init will start life as kernel_t but then transition; usermode helpers like modprobe and hotplug should transition upon the exec). -- Stephen Smalley National Security Agency From Axel.Thimm at ATrpms.net Tue Aug 1 13:14:19 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Tue, 1 Aug 2006 15:14:19 +0200 Subject: hotplug_t? In-Reply-To: <1154437717.3582.67.camel@moss-spartans.epoch.ncsc.mil> References: <20060731135445.GP19516@neu.nirvana> <1154354716.1447.34.camel@moss-spartans.epoch.ncsc.mil> <20060801050548.GS19516@neu.nirvana> <1154437717.3582.67.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060801131419.GF6313@neu.nirvana> On Tue, Aug 01, 2006 at 09:08:37AM -0400, Stephen Smalley wrote: > On Tue, 2006-08-01 at 07:05 +0200, Axel Thimm wrote: > > Process contexts: > > Current context: root:system_r:hotplug_t:SystemLow-SystemHigh > > Init context: system_u:system_r:init_t > > /sbin/mingetty system_u:system_r:kernel_t > > /usr/sbin/sshd system_u:system_r:kernel_t > > That's puzzling; init is in the correct domain (init_t) but mingetty and > sshd are in kernel_t rather than getty_t init starts life in kernel_t, > then re-execs into init_t after loading policy, then performs normal > startup. But there are no transitions back into kernel_t. And the > files appear to have the right contexts. Restarting sshd from a root:system_r:hotplug_t:SystemLow-SystemHigh root login results in a root:system_r:unconfined_t:SystemLow-SystemHigh master sshd process. Is that correct? > rpm -q selinux-policy-targeted SysVinit > rpm -V selinux-policy-targeted > /usr/sbin/semodule -l > cmp /etc/selinux/targeted/modules/active/policy.kern /etc/selinux/targeted/policy/policy.20 # rpm -q selinux-policy-targeted SysVinit selinux-policy-targeted-2.3.2-1.fc5 SysVinit-2.86-2.2.2 # rpm -V selinux-policy-targeted # /usr/sbin/semodule -l amavis 1.0.5 clamav 1.0.4 dcc 1.0.1 pyzor 1.0.4 razor 1.0.1 # cmp /etc/selinux/targeted/modules/active/policy.kern /etc/selinux/targeted/policy/policy.20 -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From Axel.Thimm at ATrpms.net Tue Aug 1 13:21:21 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Tue, 1 Aug 2006 15:21:21 +0200 Subject: hotplug_t? In-Reply-To: <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> <20060801125142.GE6313@neu.nirvana> <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060801132121.GG6313@neu.nirvana> On Tue, Aug 01, 2006 at 09:16:04AM -0400, Stephen Smalley wrote: > On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote: > > Does the following output help? Looks like anything called from sshd > > gets into hotplug_t. The main sshd process runs under > > system_u:system_r:kernel_t. > > sshd running in kernel_t is the problem; that should never happen (init > transitions to init_t, then everything flows from it; nothing should > ever transition back into kernel_t). Only kernel threads should have > kernel_t (init will start life as kernel_t but then transition; usermode > helpers like modprobe and hotplug should transition upon the exec). Hm. there are tons of processes in kernel_t, in fact almost everything but sshd initiated processes, httpd, rotatelog and spamd. Maybe I need to restart init yet another time (e.g. reboot). Would that make sense? I'll reboot the system in ~9h and check again whether any process but kernel threads got lost in kernel_t. -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From paul at city-fan.org Tue Aug 1 13:24:26 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 01 Aug 2006 14:24:26 +0100 Subject: hotplug_t? In-Reply-To: <20060801132121.GG6313@neu.nirvana> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> <20060801125142.GE6313@neu.nirvana> <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> <20060801132121.GG6313@neu.nirvana> Message-ID: <44CF560A.2080504@city-fan.org> Axel Thimm wrote: > On Tue, Aug 01, 2006 at 09:16:04AM -0400, Stephen Smalley wrote: >> On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote: >>> Does the following output help? Looks like anything called from sshd >>> gets into hotplug_t. The main sshd process runs under >>> system_u:system_r:kernel_t. >> sshd running in kernel_t is the problem; that should never happen (init >> transitions to init_t, then everything flows from it; nothing should >> ever transition back into kernel_t). Only kernel threads should have >> kernel_t (init will start life as kernel_t but then transition; usermode >> helpers like modprobe and hotplug should transition upon the exec). > > Hm. there are tons of processes in kernel_t, in fact almost everything > but sshd initiated processes, httpd, rotatelog and spamd. > > Maybe I need to restart init yet another time (e.g. reboot). Would > that make sense? > > I'll reboot the system in ~9h and check again whether any process but > kernel threads got lost in kernel_t. Is /sbin/init labelled as system_u:object_r:init_exec_t ? Paul. From sds at tycho.nsa.gov Tue Aug 1 13:29:11 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 Aug 2006 09:29:11 -0400 Subject: hotplug_t? In-Reply-To: <20060801131419.GF6313@neu.nirvana> References: <20060731135445.GP19516@neu.nirvana> <1154354716.1447.34.camel@moss-spartans.epoch.ncsc.mil> <20060801050548.GS19516@neu.nirvana> <1154437717.3582.67.camel@moss-spartans.epoch.ncsc.mil> <20060801131419.GF6313@neu.nirvana> Message-ID: <1154438951.3582.81.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-08-01 at 15:14 +0200, Axel Thimm wrote: > On Tue, Aug 01, 2006 at 09:08:37AM -0400, Stephen Smalley wrote: > > On Tue, 2006-08-01 at 07:05 +0200, Axel Thimm wrote: > > > Process contexts: > > > Current context: root:system_r:hotplug_t:SystemLow-SystemHigh > > > Init context: system_u:system_r:init_t > > > /sbin/mingetty system_u:system_r:kernel_t > > > /usr/sbin/sshd system_u:system_r:kernel_t > > > > That's puzzling; init is in the correct domain (init_t) but mingetty and > > sshd are in kernel_t rather than getty_t init starts life in kernel_t, > > then re-execs into init_t after loading policy, then performs normal > > startup. But there are no transitions back into kernel_t. And the > > files appear to have the right contexts. > > Restarting sshd from a root:system_r:hotplug_t:SystemLow-SystemHigh > root login results in a root:system_r:unconfined_t:SystemLow-SystemHigh > master sshd process. Is that correct? Yes, sshd is unconfined in targeted policy. > # rpm -q selinux-policy-targeted SysVinit > selinux-policy-targeted-2.3.2-1.fc5 > SysVinit-2.86-2.2.2 > # rpm -V selinux-policy-targeted > # /usr/sbin/semodule -l > amavis 1.0.5 > clamav 1.0.4 > dcc 1.0.1 > pyzor 1.0.4 > razor 1.0.1 > # cmp /etc/selinux/targeted/modules/active/policy.kern /etc/selinux/targeted/policy/policy.20 This looks sane, although I think there is a newer update of policy. -- Stephen Smalley National Security Agency From Axel.Thimm at ATrpms.net Tue Aug 1 13:27:25 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Tue, 1 Aug 2006 15:27:25 +0200 Subject: hotplug_t? In-Reply-To: <44CF560A.2080504@city-fan.org> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> <20060801125142.GE6313@neu.nirvana> <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> <20060801132121.GG6313@neu.nirvana> <44CF560A.2080504@city-fan.org> Message-ID: <20060801132725.GH6313@neu.nirvana> On Tue, Aug 01, 2006 at 02:24:26PM +0100, Paul Howarth wrote: > Axel Thimm wrote: > >On Tue, Aug 01, 2006 at 09:16:04AM -0400, Stephen Smalley wrote: > >>On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote: > >>>Does the following output help? Looks like anything called from sshd > >>>gets into hotplug_t. The main sshd process runs under > >>>system_u:system_r:kernel_t. > >>sshd running in kernel_t is the problem; that should never happen (init > >>transitions to init_t, then everything flows from it; nothing should > >>ever transition back into kernel_t). Only kernel threads should have > >>kernel_t (init will start life as kernel_t but then transition; usermode > >>helpers like modprobe and hotplug should transition upon the exec). > > > >Hm. there are tons of processes in kernel_t, in fact almost everything > >but sshd initiated processes, httpd, rotatelog and spamd. > > > >Maybe I need to restart init yet another time (e.g. reboot). Would > >that make sense? > > > >I'll reboot the system in ~9h and check again whether any process but > >kernel threads got lost in kernel_t. > > Is /sbin/init labelled as system_u:object_r:init_exec_t ? Yes, it is. -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sds at tycho.nsa.gov Tue Aug 1 13:38:15 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 Aug 2006 09:38:15 -0400 Subject: hotplug_t? In-Reply-To: <20060801132121.GG6313@neu.nirvana> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> <20060801125142.GE6313@neu.nirvana> <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> <20060801132121.GG6313@neu.nirvana> Message-ID: <1154439495.3582.88.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-08-01 at 15:21 +0200, Axel Thimm wrote: > On Tue, Aug 01, 2006 at 09:16:04AM -0400, Stephen Smalley wrote: > > On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote: > > > Does the following output help? Looks like anything called from sshd > > > gets into hotplug_t. The main sshd process runs under > > > system_u:system_r:kernel_t. > > > > sshd running in kernel_t is the problem; that should never happen (init > > transitions to init_t, then everything flows from it; nothing should > > ever transition back into kernel_t). Only kernel threads should have > > kernel_t (init will start life as kernel_t but then transition; usermode > > helpers like modprobe and hotplug should transition upon the exec). > > Hm. there are tons of processes in kernel_t, in fact almost everything > but sshd initiated processes, httpd, rotatelog and spamd. > > Maybe I need to restart init yet another time (e.g. reboot). Would > that make sense? It would if init were running in kernel_t too. But given that it is running in init_t, I don't understand how its descendants got back to kernel_t. Unless the transition to init_t happened after starting the descendants, e.g. you manually told init to re-exec via telinit. > I'll reboot the system in ~9h and check again whether any process but > kernel threads got lost in kernel_t. -- Stephen Smalley National Security Agency From cpebenito at tresys.com Tue Aug 1 13:38:15 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Tue, 01 Aug 2006 09:38:15 -0400 Subject: Policy Module Packaging Guidelines (first draft) In-Reply-To: <44CF4DD4.7020500@city-fan.org> References: <44CE2CB3.7070509@city-fan.org> <44CE3B72.4010605@kobold.org> <44CF4DD4.7020500@city-fan.org> Message-ID: <1154439495.31522.97.camel@sgc> On Tue, 2006-08-01 at 13:49 +0100, Paul Howarth wrote: > > * How should the selinux policy module be versioned? Should it match > > the application versioning? Are there any restrictions on policy module > > version numbers? > > I don't think that policy numbers need bear any resemblance to the main > package version; I've added a note to that effect. I'm not sure what the > actual restrictions are on numbering, e.g whether any characters not in > the class [0-9.] are allowed. It can basically be any character; anything that works right with strverscmp(). For sanity we probably want to stick to [0-9a-z.]. Upstream refpolicy versioning is x.y.z, where z is incremented every time the module changes, y is incremented on a upstream release if the module has changed since the last release (i.e. z != 0), and x is incremented on major changes to the module. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From selinux at gmail.com Tue Aug 1 13:58:34 2006 From: selinux at gmail.com (Tom London) Date: Tue, 1 Aug 2006 06:58:34 -0700 Subject: AVC on install of libutempter ? In-Reply-To: <20060731170447.31635.qmail@web51512.mail.yahoo.com> References: <44CE099A.2030302@redhat.com> <20060731170447.31635.qmail@web51512.mail.yahoo.com> Message-ID: <4c4ba1530608010658i542a9b53yde5f1e5a0bf62f10@mail.gmail.com> On 7/31/06, Steve G wrote: > > >This log file seems very screwed up. Any idea what happened to it? > > There is a bug in the audit package that is fixed in 1.2.6 which should be > released today/tomorrow. Any "untrusted string" gets deleted in the output. > > -Steve > Is this related? https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200240 tom -- Tom London From dragoran at feuerpokemon.de Tue Aug 1 15:22:15 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Tue, 01 Aug 2006 17:22:15 +0200 Subject: smb can't access its own logfiles? In-Reply-To: <1154282536.23966.42.camel@laurel.intra.city-fan.org> References: <44CCE6A9.9050806@feuerpokemon.de> <1154282536.23966.42.camel@laurel.intra.city-fan.org> Message-ID: <44CF71A7.3070109@feuerpokemon.de> Paul Howarth wrote: > On Sun, 2006-07-30 at 19:04 +0200, dragoran wrote: > >> I got this erros: >> audit(1154259027.504:4): avc: denied { create } for pid=2610 >> comm="smbd" name="cores" scontext=system_u:system_r:smbd_t:s0 >> tcontext=system_u:object_r:samba_log_t:s0 tclass=dir >> audit(1154259027.996:5): avc: denied { create } for pid=2613 >> comm="nmbd" name="cores" scontext=system_u:system_r:nmbd_t:s0 >> tcontext=system_u:object_r:samba_log_t:s0 tclass=dir >> on a FC5 system running >> selinux-policy-targeted-2.3.2-1.fc5 and samba-3.0.23a-1.fc5.1 >> is this a known bug/regression or should I fill a bug report? >> > > I saw this too. > > Samba wants to create the directories: > > /var/log/samba/cores/smbd > /var/log/samba/cores/nmbd > > and set their modes to 0700. It dumps core into these directories if it > detects an internal error, as described here: > > http://samba.org/samba/docs/man/Samba-HOWTO-Collection/bugreport.html > > so in short this is a policy bug right? > Paul. > > > From paul at city-fan.org Tue Aug 1 15:27:35 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 01 Aug 2006 16:27:35 +0100 Subject: smb can't access its own logfiles? In-Reply-To: <44CF71A7.3070109@feuerpokemon.de> References: <44CCE6A9.9050806@feuerpokemon.de> <1154282536.23966.42.camel@laurel.intra.city-fan.org> <44CF71A7.3070109@feuerpokemon.de> Message-ID: <44CF72E7.6050701@city-fan.org> dragoran wrote: > Paul Howarth wrote: >> On Sun, 2006-07-30 at 19:04 +0200, dragoran wrote: >> >>> I got this erros: >>> audit(1154259027.504:4): avc: denied { create } for pid=2610 >>> comm="smbd" name="cores" scontext=system_u:system_r:smbd_t:s0 >>> tcontext=system_u:object_r:samba_log_t:s0 tclass=dir >>> audit(1154259027.996:5): avc: denied { create } for pid=2613 >>> comm="nmbd" name="cores" scontext=system_u:system_r:nmbd_t:s0 >>> tcontext=system_u:object_r:samba_log_t:s0 tclass=dir >>> on a FC5 system running >>> selinux-policy-targeted-2.3.2-1.fc5 and samba-3.0.23a-1.fc5.1 >>> is this a known bug/regression or should I fill a bug report? >>> >> >> I saw this too. >> >> Samba wants to create the directories: >> >> /var/log/samba/cores/smbd >> /var/log/samba/cores/nmbd >> >> and set their modes to 0700. It dumps core into these directories if it >> detects an internal error, as described here: >> >> http://samba.org/samba/docs/man/Samba-HOWTO-Collection/bugreport.html >> >> > so in short this is a policy bug right? Yes, I would say so. Paul. From dragoran at feuerpokemon.de Tue Aug 1 15:51:34 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Tue, 01 Aug 2006 17:51:34 +0200 Subject: smb can't access its own logfiles? In-Reply-To: <44CF72E7.6050701@city-fan.org> References: <44CCE6A9.9050806@feuerpokemon.de> <1154282536.23966.42.camel@laurel.intra.city-fan.org> <44CF71A7.3070109@feuerpokemon.de> <44CF72E7.6050701@city-fan.org> Message-ID: <44CF7886.5050806@feuerpokemon.de> Paul Howarth wrote: > dragoran wrote: >> Paul Howarth wrote: >>> On Sun, 2006-07-30 at 19:04 +0200, dragoran wrote: >>> >>>> I got this erros: >>>> audit(1154259027.504:4): avc: denied { create } for pid=2610 >>>> comm="smbd" name="cores" scontext=system_u:system_r:smbd_t:s0 >>>> tcontext=system_u:object_r:samba_log_t:s0 tclass=dir >>>> audit(1154259027.996:5): avc: denied { create } for pid=2613 >>>> comm="nmbd" name="cores" scontext=system_u:system_r:nmbd_t:s0 >>>> tcontext=system_u:object_r:samba_log_t:s0 tclass=dir >>>> on a FC5 system running >>>> selinux-policy-targeted-2.3.2-1.fc5 and samba-3.0.23a-1.fc5.1 >>>> is this a known bug/regression or should I fill a bug report? >>>> >>> >>> I saw this too. >>> >>> Samba wants to create the directories: >>> >>> /var/log/samba/cores/smbd >>> /var/log/samba/cores/nmbd >>> >>> and set their modes to 0700. It dumps core into these directories if it >>> detects an internal error, as described here: >>> >>> http://samba.org/samba/docs/man/Samba-HOWTO-Collection/bugreport.html >>> >>> >> so in short this is a policy bug right? > > Yes, I would say so. > ok, bug reported https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200914 > Paul. > > From wart at kobold.org Tue Aug 1 19:29:14 2006 From: wart at kobold.org (Michael Thomas) Date: Tue, 01 Aug 2006 12:29:14 -0700 Subject: Policy Module Packaging Guidelines (first draft) In-Reply-To: <44CF4DD4.7020500@city-fan.org> References: <44CE2CB3.7070509@city-fan.org> <44CE3B72.4010605@kobold.org> <44CF4DD4.7020500@city-fan.org> Message-ID: <44CFAB8A.8060201@kobold.org> Paul Howarth wrote: > Wart wrote: >> * In the 'separate subpackage' section do you want to add a note about >> making the -selinux subpackage an entirely new package with its own >> specfile, instead of a subpackage in an existing spec file? >> >> Advantages: >> >> Keeps the spec files much simpler and easier to read. >> Allows for separate maintainers of the main and -selinux packages. >> selinux packages can be updated without pushing new builds of the main >> package >> >> Disadvantages: >> >> Care must be taken to make sure that the selinux package is updated with >> the main package as needed. >> What value should be given for the URL and License tags in the spec file? > > > I think this idea merits some discussion. I tend of think of policy > modules as being rather like kernel modules, in that they're things that > are useful and usable whilst still under development but that ideally > should eventually become unnecessary because they get merged into the > main upstream project. So a separate package should be a short-lived > package really. > > I see the merits of having a separate package but I'd be in favour of > such packages having to be justified as per kernel modules, along with a > roadmap for an upstream merge. Is there a concern that the main upstream project will start to get bloated with the adoption of all of these individual policies? I had thought of the policy modules as a way to separate the ongoing maintenance of the policy file from the main upstream project. But as you point out, if the policy module is only merged upstream once it has stabilized, there shouldn't be much maintenance necessary. I guess I can see both sides of the argument, and I don't have much of a preference either way. >> * Don't you want to call 'fixfiles -R' in the %post and %postun sections >> of the sample templates? You included it in the scriptlets section >> above. > > > I did, but I think the scriptlet code is likely to be so different for > different packages that I didn't want to include too much in there on > the basis that some people might just cut-and-paste things that aren't > necessary. > > How about I use "restorecon" in one of the templates and "fixfiles" in > the other, in order to illustrate that there's no one "right" way of > doing it? Sounds good to me. --Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3820 bytes Desc: S/MIME Cryptographic Signature URL: From Axel.Thimm at ATrpms.net Tue Aug 1 22:19:11 2006 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Wed, 2 Aug 2006 00:19:11 +0200 Subject: hotplug_t? In-Reply-To: <1154439495.3582.88.camel@moss-spartans.epoch.ncsc.mil> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> <20060801125142.GE6313@neu.nirvana> <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> <20060801132121.GG6313@neu.nirvana> <1154439495.3582.88.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20060801221911.GA19738@neu.nirvana> On Tue, Aug 01, 2006 at 09:38:15AM -0400, Stephen Smalley wrote: > On Tue, 2006-08-01 at 15:21 +0200, Axel Thimm wrote: > > On Tue, Aug 01, 2006 at 09:16:04AM -0400, Stephen Smalley wrote: > > > On Tue, 2006-08-01 at 14:51 +0200, Axel Thimm wrote: > > > > Does the following output help? Looks like anything called from sshd > > > > gets into hotplug_t. The main sshd process runs under > > > > system_u:system_r:kernel_t. > > > > > > sshd running in kernel_t is the problem; that should never happen (init > > > transitions to init_t, then everything flows from it; nothing should > > > ever transition back into kernel_t). Only kernel threads should have > > > kernel_t (init will start life as kernel_t but then transition; usermode > > > helpers like modprobe and hotplug should transition upon the exec). > > > > Hm. there are tons of processes in kernel_t, in fact almost everything > > but sshd initiated processes, httpd, rotatelog and spamd. > > > > Maybe I need to restart init yet another time (e.g. reboot). Would > > that make sense? > > It would if init were running in kernel_t too. But given that it is > running in init_t, I don't understand how its descendants got back to > kernel_t. Unless the transition to init_t happened after starting the > descendants, e.g. you manually told init to re-exec via telinit. I didn't do so consiously. I rebooted the system and there is no hotplug_t trace anymore in the processes. What I think I missed is the reboot after the fixfiles command. But I don't understand how init would go back and forth into different security contexts. Anyway for me I'm happy that the system is in a normal selinux state (I hope) and that I can start using selinux in real life (permissive for now while learning). Thanks! -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sds at tycho.nsa.gov Wed Aug 2 13:56:35 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 02 Aug 2006 09:56:35 -0400 Subject: hotplug_t? In-Reply-To: <20060801221911.GA19738@neu.nirvana> References: <20060731135445.GP19516@neu.nirvana> <44CE16A6.4050305@redhat.com> <20060801051015.GT19516@neu.nirvana> <1154436521.3582.52.camel@moss-spartans.epoch.ncsc.mil> <20060801125142.GE6313@neu.nirvana> <1154438164.3582.76.camel@moss-spartans.epoch.ncsc.mil> <20060801132121.GG6313@neu.nirvana> <1154439495.3582.88.camel@moss-spartans.epoch.ncsc.mil> <20060801221911.GA19738@neu.nirvana> Message-ID: <1154526995.16917.69.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-08-02 at 00:19 +0200, Axel Thimm wrote: > On Tue, Aug 01, 2006 at 09:38:15AM -0400, Stephen Smalley wrote: > > It would if init were running in kernel_t too. But given that it is > > running in init_t, I don't understand how its descendants got back to > > kernel_t. Unless the transition to init_t happened after starting the > > descendants, e.g. you manually told init to re-exec via telinit. > > I didn't do so consiously. I rebooted the system and there is no > hotplug_t trace anymore in the processes. What I think I missed is the > reboot after the fixfiles command. But I don't understand how init > would go back and forth into different security contexts. I'd guess that init was told to re-exec via telinit u after you relabeled the filesystem, so that it finally transitioned to the right domain, but this didn't help already existing descendants of init that had been spawned while it was still kernel_t (i.e. when you first booted the system, /sbin/init had the wrong type, so init was left in kernel_t, then you relabeled, then something told it to re-exec). Performing an update of libselinux, glibc, or SysVinit would have done a telinit u, I think. > Anyway for me I'm happy that the system is in a normal selinux state > (I hope) and that I can start using selinux in real life (permissive > for now while learning). Good, glad it is working now. -- Stephen Smalley National Security Agency From stuart at secpay.com Thu Aug 3 15:00:05 2006 From: stuart at secpay.com (Stuart James) Date: Thu, 3 Aug 2006 16:00:05 +0100 Subject: Audit logging Message-ID: <20060803160005.128d5da5@stuart.ripon.secpay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, For the purpose of PCI auditing, I am looking into doing a proper security trail particularly of users who su / sudo to root/system_r. - From PCI standards 10.5 Secure audit trails so they cannot be altered, including the following: 10.5.1 Limit viewing of audit trails to those with a job-related need. 10.5.2 Protect audit trail files from unauthorized modifications. 10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter To begin i have ventured into using Auditctl and defining a few rules to start with. Would it be best to write a custom selinux policy to log all system_r commands / syscalls so someone could not just turn off the auditd. Currently we already use Syslog-ng, which hopefully we can incorporate auditd to log to the central syslog servers. The rules I have played with by adding to /etc/audit.rules (among others) (we use auid 999 for testing) - -a entry,always -F uid=0 -F auid=999 -S open -S exit - -a task,always -F uid=0 -F auid=999 The problem is, i get tons of syscalls for applications such as sshd and tail type=SYSCALL msg=audit(1154617455.081:67195): arch=c000003e syscall=2 success=yes exit=4 a0=2aaaabf9b375 a1=0 a2=1b6 a3=0 items=1 pid=25418 auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 Would it be possible to use the "exclude" for auditctl, but i am unsure of how to not log sshd and tail without using a pid which can obviously change. Is auditctl the appropriate way to go about logging, or is it better to modify the selinux policy in some way. Thanks in advance, - -- Stuart James System Administrator DDI - (44) 0 1765 643354 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE0g93r8LwOCpshrYRAiUHAJ9CyVFsNq7XLX7xHl0k4h5OUJ4YSwCgjtUb OJO2NkkAn8f1In6TsXTNF6Y= =zxA3 -----END PGP SIGNATURE----- From linux_4ever at yahoo.com Thu Aug 3 15:47:10 2006 From: linux_4ever at yahoo.com (Steve G) Date: Thu, 3 Aug 2006 08:47:10 -0700 (PDT) Subject: Audit logging In-Reply-To: <20060803160005.128d5da5@stuart.ripon.secpay.com> Message-ID: <20060803154710.25740.qmail@web51513.mail.yahoo.com> >- From PCI standards I'm not familiar with this one, where would I find its requirements on the internet? >10.5 Secure audit trails so they cannot be altered, including the >following: >10.5.1 Limit viewing of audit trails to those with a >job-related need. >10.5.2 Protect audit trail files from unauthorized >modifications. The above is handled currently by the audit system. >10.5.3 Promptly back-up audit trail files to a >centralized log server or media that is difficult to alter You'll have to modify the cron script to do this. >Would it be best to write a custom selinux policy to log all system_r >commands / syscalls so someone could not just turn off the auditd. No one can turn off auditd unless they are root. Do you have untrusted root users? >Currently we already use Syslog-ng, which hopefully we can incorporate >auditd to log to the central syslog servers. Generally what you would want to do is update the cron script to rename the files with date, time, and machine name. Then scp them to a directory on a remote machine. I would not merge the logs with syslog since you will lose the ability to use any audit tools. >-a entry,always -F uid=0 -F auid=999 -S open -S exit >- -a task,always -F uid=0 -F auid=999 This will log every open of every file for that user. What are you really trying to capture? Generally, security targets are concerned with modifications of specific files. >The problem is, i get tons of syscalls for applications such as sshd >and tail Yep. >Would it be possible to use the "exclude" for auditctl, This will exclude one type of message. For example, you can get rid of everything with type=LOGIN. It only looks at that one field and nothing else. >but i am unsure of how to not log sshd and tail without using a pid which >can obviously change. What are you really trying to record? >Is auditctl the appropriate way to go about logging, Audit should be used to audit with. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dragoran at feuerpokemon.de Thu Aug 3 15:56:50 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Thu, 03 Aug 2006 17:56:50 +0200 Subject: new httpd related avcs Message-ID: <44D21CC2.40704@feuerpokemon.de> hello today I found this in my logs running FC5 with targeted-policy: audit(1154611448.959:6): avc: denied { read } for pid=5341 comm="sh" name="[7359]" dev=eventpollfs ino=7359 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611449.099:7): avc: denied { read } for pid=5342 comm="sh" name="[7359]" dev=eventpollfs ino=7359 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611464.112:8): avc: denied { read } for pid=5345 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611464.164:9): avc: denied { read } for pid=5346 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611506.527:10): avc: denied { read } for pid=5351 comm="sh" name="[7365]" dev=eventpollfs ino=7365 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611506.571:11): avc: denied { read } for pid=5352 comm="sh" name="[7365]" dev=eventpollfs ino=7365 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611507.831:12): avc: denied { read } for pid=5354 comm="sh" name="[7358]" dev=eventpollfs ino=7358 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611507.919:13): avc: denied { read } for pid=5355 comm="sh" name="[7358]" dev=eventpollfs ino=7358 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611508.475:14): avc: denied { read } for pid=5357 comm="sh" name="[7362]" dev=eventpollfs ino=7362 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611508.531:15): avc: denied { read } for pid=5358 comm="sh" name="[7362]" dev=eventpollfs ino=7362 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611888.403:16): avc: denied { read } for pid=5392 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611888.447:17): avc: denied { read } for pid=5393 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file what is causing them? bug or something mislabled? httpd-2.2.2-1.2 selinux-policy-targeted-2.3.3-8.fc5 From stuart at secpay.com Thu Aug 3 16:44:04 2006 From: stuart at secpay.com (Stuart James) Date: Thu, 3 Aug 2006 17:44:04 +0100 Subject: Audit logging In-Reply-To: <20060803154710.25740.qmail@web51513.mail.yahoo.com> References: <20060803160005.128d5da5@stuart.ripon.secpay.com> <20060803154710.25740.qmail@web51513.mail.yahoo.com> Message-ID: <20060803174404.5edbb596@stuart.ripon.secpay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Steve, On Thu, 3 Aug 2006 08:47:10 -0700 (PDT) Steve G wrote: > > >- From PCI standards > > I'm not familiar with this one, where would I find its requirements > on the internet? > > >10.5 Secure audit trails so they cannot be altered, including the > >following: > >10.5.1 Limit viewing of audit trails to those with a > >job-related need. > >10.5.2 Protect audit trail files from unauthorized > >modifications. > > The above is handled currently by the audit system. > > >10.5.3 Promptly back-up audit trail files to a > >centralized log server or media that is difficult to alter > > You'll have to modify the cron script to do this. > > >Would it be best to write a custom selinux policy to log all system_r > >commands / syscalls so someone could not just turn off the auditd. > > No one can turn off auditd unless they are root. Do you have > untrusted root users? We do not have untrusted root users, the problem is we are trying to audit ourselves and do it in a way that we could not easily circumvent, and if we were to there would be a record. For instance if i were to disable auditd, there should be a record of such as i do it on a central log server i do not have access to. Currently we use Sudo and log via syslog-ng to a central server, obviously sudo can be circumvented in many ways such as "sudo /bin/bash" will do it. > > >Currently we already use Syslog-ng, which hopefully we can > >incorporate auditd to log to the central syslog servers. > > Generally what you would want to do is update the cron script to > rename the files with date, time, and machine name. Then scp them to > a directory on a remote machine. I would not merge the logs with > syslog since you will lose the ability to use any audit tools. > > >-a entry,always -F uid=0 -F auid=999 -S open -S exit > >- -a task,always -F uid=0 -F auid=999 > > This will log every open of every file for that user. What are you > really trying to capture? Generally, security targets are concerned > with modifications of specific files. > > >The problem is, i get tons of syscalls for applications such as sshd > >and tail > > Yep. > > >Would it be possible to use the "exclude" for auditctl, > > This will exclude one type of message. For example, you can get rid > of everything > If i wanted to excluded the following type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2 success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561 auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 - -a exclude,always -F msgtype=SYSCALL - -a exit.always -F uid=0 - -a entry,always -F uid=0 Is this correct ? or can i do something - -a exit, > with type=LOGIN. It only looks at that one field and nothing else. > > >but i am unsure of how to not log sshd and tail without using a pid > >which can obviously change. > > What are you really trying to record? Trying to record when people access particular files , which i have been looking at the auditctl -w but the examples do not work in the documentation such as (found in capp.rules) - -w /var/log/audit/ -k LOG_audit Thanks in advance - -- Stuart James System Administrator DDI - (44) 0 1765 643354 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE0ifWr8LwOCpshrYRApNrAKCLI1t1CIn550Et9Tzs24GgtmEn2gCg+kzK 2o6+kI2VfEoPQ0V6aeG8H8M= =ZQ+e -----END PGP SIGNATURE----- From linux_4ever at yahoo.com Thu Aug 3 17:50:49 2006 From: linux_4ever at yahoo.com (Steve G) Date: Thu, 3 Aug 2006 10:50:49 -0700 (PDT) Subject: Audit logging In-Reply-To: <20060803174404.5edbb596@stuart.ripon.secpay.com> Message-ID: <20060803175049.48181.qmail@web51502.mail.yahoo.com> >> No one can turn off auditd unless they are root. Do you have >> untrusted root users? > >We do not have untrusted root users, the problem is we are trying to >audit ourselves and do it in a way that we could not easily >circumvent You will likely need to use the realtime interface and write a program that moves the data to another machine. I will be writing one in a couple months, but in the meantime everyone has to cobble together their own solution. Otherwise they can just do auditctl -e 0 and you are done. >If i wanted to excluded the following > >type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2 >success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561 >auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 >tty=(none) comm="sshd" exe="/usr/sbin/sshd" >subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 > > >-a exclude,always -F msgtype=SYSCALL > -a exit.always -F uid=0 > -a entry,always -F uid=0 > >Is this correct ? These are 3 different rules that form an OR condition. What will happen is SYSCALL records in the event will be thrown away, any syscall with uid 0 will be recorded, and a redundant rule will try to do the same thing. >or can i do something >- -a exit, No. > What are you really trying to record? > >Trying to record when people access particular files , which i have >been looking at the auditctl -w but the examples do not work in the >documentation You have to have the 2.6.18 kernel to get this to work. Otherwise you are limited to using -F devmajor=xx -F devminor=yy >such as (found in capp.rules) > > -w /var/log/audit/ -k LOG_audit The above works for 2.6.18 kernel. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From daobrien at redhat.com Fri Aug 4 00:07:43 2006 From: daobrien at redhat.com (David O'Brien) Date: Fri, 4 Aug 2006 10:07:43 +1000 Subject: Audit logging In-Reply-To: <20060803174404.5edbb596@stuart.ripon.secpay.com> References: <20060803160005.128d5da5@stuart.ripon.secpay.com> <20060803154710.25740.qmail@web51513.mail.yahoo.com> <20060803174404.5edbb596@stuart.ripon.secpay.com> Message-ID: <200608041007.44127.daobrien@redhat.com> top post... Stuart, I'm following this thread with interest, as I'm in the process of updating the RHEL5 documentation for Security and SELinux and I'm looking especially for Use Cases/real world scenarios (rather than fabricated implementations). I'm especially interested in getting community input for this. If I'm reading this correctly, this could be a "Using SELinux to perform self-auditing" (or whatever) topic, including why you would do that, why SELinux is a good way to do it, and then *how* to do it exactly, with expected results, possible variations, and some troubleshooting, perhaps. Also some material on how/what *not* to do. How do you feel about getting involved in this? I'm a writer, not an SELinux expert, so I'm relying on input from others for the techie bits. Further, if you're aware of documentation that's wrong or hard to follow, let me know or file a bug (https://bugzilla.redhat.com/bugzilla/index.cgi). cheers David On Friday 04 August 2006 02:44, Stuart James wrote: > Hi Steve, > > On Thu, 3 Aug 2006 08:47:10 -0700 (PDT) > > Steve G wrote: > > >- From PCI standards > > > > I'm not familiar with this one, where would I find its requirements > > on the internet? > > > > >10.5 Secure audit trails so they cannot be altered, including the > > >following: > > >10.5.1 Limit viewing of audit trails to those with a > > >job-related need. > > >10.5.2 Protect audit trail files from unauthorized > > >modifications. > > > > The above is handled currently by the audit system. > > > > >10.5.3 Promptly back-up audit trail files to a > > >centralized log server or media that is difficult to alter > > > > You'll have to modify the cron script to do this. > > > > >Would it be best to write a custom selinux policy to log all system_r > > >commands / syscalls so someone could not just turn off the auditd. > > > > No one can turn off auditd unless they are root. Do you have > > untrusted root users? > > We do not have untrusted root users, the problem is we are trying to > audit ourselves and do it in a way that we could not easily > circumvent, and if we were to there would be a record. For instance if > i were to disable auditd, there should be a record of such as i do it > on a central log server i do not have access to. > > Currently we use Sudo and log via syslog-ng to a central server, > obviously sudo can be circumvented in many ways such as > "sudo /bin/bash" will do it. > > > >Currently we already use Syslog-ng, which hopefully we can > > >incorporate auditd to log to the central syslog servers. > > > > Generally what you would want to do is update the cron script to > > rename the files with date, time, and machine name. Then scp them to > > a directory on a remote machine. I would not merge the logs with > > syslog since you will lose the ability to use any audit tools. > > > > >-a entry,always -F uid=0 -F auid=999 -S open -S exit > > >- -a task,always -F uid=0 -F auid=999 > > > > This will log every open of every file for that user. What are you > > really trying to capture? Generally, security targets are concerned > > with modifications of specific files. > > > > >The problem is, i get tons of syscalls for applications such as sshd > > >and tail > > > > Yep. > > > > >Would it be possible to use the "exclude" for auditctl, > > > > This will exclude one type of message. For example, you can get rid > > of everything > > If i wanted to excluded the following > > type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2 > success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561 > auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) comm="sshd" exe="/usr/sbin/sshd" > subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 > > > -a exclude,always -F msgtype=SYSCALL > -a exit.always -F uid=0 > -a entry,always -F uid=0 > > Is this correct ? > > or can i do something > -a exit, > > > with type=LOGIN. It only looks at that one field and nothing else. > > > > >but i am unsure of how to not log sshd and tail without using a pid > > >which can obviously change. > > > > What are you really trying to record? > > Trying to record when people access particular files , which i have > been looking at the auditctl -w but the examples do not work in the > documentation > > such as (found in capp.rules) > > -w /var/log/audit/ -k LOG_audit > > > Thanks in advance > > > -- > Stuart James > System Administrator > DDI - (44) 0 1765 643354 -- David O'Brien Red Hat Asia Pacific Pty Ltd Tel: +61-7-3514-8189 Fax: +61-7-3514-8199 email: daobrien at redhat.com web: http://apac.redhat.com/ IRC: daobrien #docs #selinux #devel #doc-i18n From stuart at secpay.com Fri Aug 4 09:08:23 2006 From: stuart at secpay.com (Stuart James) Date: Fri, 4 Aug 2006 10:08:23 +0100 Subject: Audit logging In-Reply-To: <200608041007.44127.daobrien@redhat.com> References: <20060803160005.128d5da5@stuart.ripon.secpay.com> <20060803154710.25740.qmail@web51513.mail.yahoo.com> <20060803174404.5edbb596@stuart.ripon.secpay.com> <200608041007.44127.daobrien@redhat.com> Message-ID: <20060804100823.2c6246d6@stuart-int.jamesnet.ca> Hi David, On Fri, 4 Aug 2006 10:07:43 +1000 "David O'Brien" wrote: > top post... > > Stuart, > I'm following this thread with interest, as I'm in the process of > updating the RHEL5 documentation for Security and SELinux and I'm > looking especially for Use Cases/real world scenarios (rather than > fabricated implementations). I'm especially interested in getting > community input for this. > > If I'm reading this correctly, this could be a "Using SELinux to > perform self-auditing" (or whatever) topic, including why you would > do that, why SELinux is a good way to do it, and then *how* to do it > exactly, with expected results, possible variations, and some > troubleshooting, perhaps. Also some material on how/what *not* to do. I would be more then interested in helping with this documentation or the reason why we are doing this. Our company is an E-commerce firm that deals with the issue of protecting the integrity of the card holder environment for the purpose of PCI audits. http://www.secpay.com/secpay/index.php/content/view/full/267.html https://sdp.mastercardintl.com/pdf/pcd_manual.pdf As it now has become more rigorous of certification(formally Visa AIS) to achieve and is mandatory for us to continue transacting one of the main issues of the standard we are faced with is section 10.5.x which previously we have passed based on sudo logging to a central syslog server. As mentioned previously its not because we have untrusted root users, its that we have to prove to a third party auditor that we can create a forensic security trail of a user actions. We have looked into other software such as symark powerbroker, which indeed does what we need, although it is logging soley in userspace, but the fact that it is not opensource software and has a hefty price tag we would rather look at selinux / auditing. > > How do you feel about getting involved in this? I'm a writer, not an > SELinux expert, so I'm relying on input from others for the techie > bits. > > Further, if you're aware of documentation that's wrong or hard to > follow, let me know or file a bug > (https://bugzilla.redhat.com/bugzilla/index.cgi). > > cheers > David > Regards, Stuart James From linux_4ever at yahoo.com Fri Aug 4 10:08:09 2006 From: linux_4ever at yahoo.com (Steve G) Date: Fri, 4 Aug 2006 03:08:09 -0700 (PDT) Subject: Audit logging In-Reply-To: <200608041007.44127.daobrien@redhat.com> Message-ID: <20060804100809.20523.qmail@web51501.mail.yahoo.com> >If I'm reading this correctly, this could be a "Using SELinux to >perform self-auditing" (or whatever) topic, including why you would do that, >why SELinux is a good way to do it, SE Linux is the wrong approach for this. This is more in the domain of what the audit system does. A simple case of auditing root actions is handled by this: -a always,entry -S execve -F "auid>500" -F uid=0 This will capture all execve parameters for people that logged in with normal user account and have changed uid to root. You have to forbid peoople logging in directly as root, too. It might be better if we update bash to log commands instead of getting every execve. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From paul at city-fan.org Fri Aug 4 11:08:11 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 04 Aug 2006 12:08:11 +0100 Subject: Policy Module Packaging Guidelines (first draft) In-Reply-To: <1154439495.31522.97.camel@sgc> References: <44CE2CB3.7070509@city-fan.org> <44CE3B72.4010605@kobold.org> <44CF4DD4.7020500@city-fan.org> <1154439495.31522.97.camel@sgc> Message-ID: <44D32A9B.3080703@city-fan.org> Christopher J. PeBenito wrote: > On Tue, 2006-08-01 at 13:49 +0100, Paul Howarth wrote: >>> * How should the selinux policy module be versioned? Should it match >>> the application versioning? Are there any restrictions on policy module >>> version numbers? >> I don't think that policy numbers need bear any resemblance to the main >> package version; I've added a note to that effect. I'm not sure what the >> actual restrictions are on numbering, e.g whether any characters not in >> the class [0-9.] are allowed. > > It can basically be any character; anything that works right with > strverscmp(). For sanity we probably want to stick to [0-9a-z.]. > > Upstream refpolicy versioning is x.y.z, where z is incremented every > time the module changes, y is incremented on a upstream release if the > module has changed since the last release (i.e. z != 0), and x is > incremented on major changes to the module. Thanks; I've added these details to the wiki page. Paul. From paul at city-fan.org Fri Aug 4 11:41:27 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 04 Aug 2006 12:41:27 +0100 Subject: Policy Module Packaging Guidelines (first draft) In-Reply-To: <44CFAB8A.8060201@kobold.org> References: <44CE2CB3.7070509@city-fan.org> <44CE3B72.4010605@kobold.org> <44CF4DD4.7020500@city-fan.org> <44CFAB8A.8060201@kobold.org> Message-ID: <44D33267.6020102@city-fan.org> Michael Thomas wrote: > Paul Howarth wrote: >> Wart wrote: >>> * In the 'separate subpackage' section do you want to add a note about >>> making the -selinux subpackage an entirely new package with its own >>> specfile, instead of a subpackage in an existing spec file? >>> >>> Advantages: >>> >>> Keeps the spec files much simpler and easier to read. >>> Allows for separate maintainers of the main and -selinux packages. >>> selinux packages can be updated without pushing new builds of the main >>> package >>> >>> Disadvantages: >>> >>> Care must be taken to make sure that the selinux package is updated with >>> the main package as needed. >>> What value should be given for the URL and License tags in the spec file? >> >> I think this idea merits some discussion. I tend of think of policy >> modules as being rather like kernel modules, in that they're things that >> are useful and usable whilst still under development but that ideally >> should eventually become unnecessary because they get merged into the >> main upstream project. So a separate package should be a short-lived >> package really. >> >> I see the merits of having a separate package but I'd be in favour of >> such packages having to be justified as per kernel modules, along with a >> roadmap for an upstream merge. > > Is there a concern that the main upstream project will start to get > bloated with the adoption of all of these individual policies? I had > thought of the policy modules as a way to separate the ongoing > maintenance of the policy file from the main upstream project. But as > you point out, if the policy module is only merged upstream once it has > stabilized, there shouldn't be much maintenance necessary. I guess I > can see both sides of the argument, and I don't have much of a > preference either way. > >>> * Don't you want to call 'fixfiles -R' in the %post and %postun sections >>> of the sample templates? You included it in the scriptlets section >>> above. >> >> I did, but I think the scriptlet code is likely to be so different for >> different packages that I didn't want to include too much in there on >> the basis that some people might just cut-and-paste things that aren't >> necessary. >> >> How about I use "restorecon" in one of the templates and "fixfiles" in >> the other, in order to illustrate that there's no one "right" way of >> doing it? > > Sounds good to me. OK, changes now incorporated on the wiki page: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules Paul. From imarks at comcast.net Fri Aug 4 14:19:18 2006 From: imarks at comcast.net (Ian Marks) Date: Fri, 04 Aug 2006 10:19:18 -0400 Subject: Logrotate and Selinux Message-ID: <44D35766.501@comcast.net> I am trying to set logrotate to rotate specific syslogged files outside of /var/log. My application is logging under /opt/app_name/log/. To allow syslog to be able to log/wite to this file, I had to set the appropriate context of the file to user_u:object_r:var_log_t. Since the file isn't under /var/log, I don't think the context will be preserved once it's been rotated, thus preventing syslog from writing to the file. What is the best fix for this in RHEL4. Thanks, Ian From rhallyx at mindspring.com Fri Aug 4 19:59:36 2006 From: rhallyx at mindspring.com (Richard Hally) Date: Fri, 04 Aug 2006 15:59:36 -0400 Subject: strict error message Message-ID: <44D3A728.1040003@mindspring.com> I've been getting the following error message when updating with yum: > Updating : selinux-policy-strict ####################### [26/66] > /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). > /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). Do I need to bugzilla this? Richard From jacliburn at bellsouth.net Sat Aug 5 02:35:08 2006 From: jacliburn at bellsouth.net (Jay Cliburn) Date: Fri, 04 Aug 2006 21:35:08 -0500 Subject: Setroubleshoot question Message-ID: <44D403DC.4010004@bellsouth.net> Is it a bug that setroubleshoot_dispatcher continues to run even when setroubleshoot is shut off? [[root at osprey ~]# rpm -q setroubleshoot setroubleshoot-0.16-1 root at osprey ~]# service setroubleshoot status setroubleshoot is stopped [root at osprey ~]# ps -ef | grep setrou root 1783 1770 0 20:55 ? 00:00:00 python /usr/lib/audit/setroubleshoot_dispatcher root 2558 2523 0 21:29 pts/0 00:00:00 grep setrou [root at osprey ~]# tail -100 /var/log/messages | grep setrouble Aug 4 20:56:12 osprey setroubleshoot: 2006-08-04 20:56:12,711 [ipc.ERROR] exiting after [Errno 2] No such file or directory, socket AlertClient: socket=/var/run/setroubleshoot/setroubleshoot_server user=None Thanks, Jay From dwalsh at redhat.com Sat Aug 5 10:52:02 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 05 Aug 2006 06:52:02 -0400 Subject: strict error message In-Reply-To: <44D3A728.1040003@mindspring.com> References: <44D3A728.1040003@mindspring.com> Message-ID: <44D47852.4090604@redhat.com> Richard Hally wrote: > I've been getting the following error message when updating with yum: > >> Updating : selinux-policy-strict ####################### >> [26/66] /etc/selinux/strict/contexts/files/file_contexts: Multiple >> different specifications for /usr/bin/apt-get >> (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). >> /etc/selinux/strict/contexts/files/file_contexts: Multiple different >> specifications for /usr/bin/apt-shell >> (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). > > Do I need to bugzilla this? > > Richard > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Remove that apt policy package semodule -r apt -s strict in strict policy. From stefan at sf-net.com Sat Aug 5 23:48:48 2006 From: stefan at sf-net.com (Stefan) Date: Sun, 6 Aug 2006 01:48:48 +0200 Subject: strict error message In-Reply-To: <44D47852.4090604@redhat.com> References: <44D3A728.1040003@mindspring.com> <44D47852.4090604@redhat.com> Message-ID: <0D16B287-3276-42AB-92AE-C9A9C2DD94E3@sf-net.com> > Remove that apt policy package > > semodule -r apt -s strict > > in strict policy. Is this really a solution? What if someone needs this policy? It sucks if a policy update comes out and everytime you have to remove this module. Is there no better way? -Stefan From hugh at mimosa.com Sun Aug 6 05:38:09 2006 From: hugh at mimosa.com (D. Hugh Redelmeier) Date: Sun, 6 Aug 2006 01:38:09 -0400 (EDT) Subject: sharing a partition betweed FC3 and FC5 Message-ID: [I sent this to fedora-list at redhat.com a couple of minutes ago. I apologize for cross-posting.] I installed 32-bit Fedora Core 5 on an Athlon-64 box. I intended this installation to co-exist with a 64-bit Fedora Core 3 installation. The two installations share a /home ext3 partition and the swap partition. This is often how I do upgrades: a dual boot system with both old and new bootable. The problem is that the FC5 installation did something to the /home partition that prevents the FC3 from mounting it. When I manually try a mount of /home from FC3, the useless mount-failure message is preceded by these messages. I think that they are the key: inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 (In dmesg, these two messages were preceded by these that might be relevant: kjournald starting. Commit interval 5 seconds EXT3 FS on hda5, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev hda5, type ext3), uses xattr ) (The useless mount failure message is: mount: wrong fs type, bad option, bad superblock on /dev/hda5 or too many mounted file systems This message is disgracefully non-specific.) I think that this is a problem with SELinux. The following thread looks relevant but unhelpful: http://www.redhat.com/archives/fedora-selinux-list/2006-April/msg00002.html It provides a solution (I hope) for FC4 but FC3 would not have such an update. I tried using enforcing=0 on the FC3 kernel command line, but nothing changed. I thought ext3 was compatible between Fedora releases. Unfortunately, SELinux seems to have made things a lot more brittle. ==> Is there something simple that I can do to allow the existing /home ext3 partition to be shared between FC3 and FC5? ==> What does the error message mean? inode 2 is the root of the filesystem. It appears that kernel routine inode_doinit_with_dentry is calling context_to_sid and context_to_sid is returning EINVAL (because the context was invalid). But even knowing that, I don't know what it actually means or is caused by. (By the way, if FC5 worked well, it might not matter. Unfortunately, there is some regression in xorg that prevents dual-head working properly on FC5 where it did on FC3.) From selinux at gmail.com Sun Aug 6 16:22:33 2006 From: selinux at gmail.com (Tom London) Date: Sun, 6 Aug 2006 09:22:33 -0700 Subject: borkage during today's updates.... Message-ID: <4c4ba1530608060922t4cb845baiea876bd363c8461c@mail.gmail.com> Running rawhide, targeted/enforcing. Updates today produced the following during 'yumex'. tom libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/netfilter_contexts to /etc/selinux/targeted/contexts/netfilter_contexts. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/netfilter_contexts to /etc/selinux/targeted/contexts/netfilter_contexts. semodule: Failed! type=AVC msg=audit(1154880996.523:64): avc: denied { write } for pid=7536 comm="semodule" name="contexts" dev=dm-0 ino=1081413 scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1154880996.523:64): arch=40000003 syscall=5 success=no exit=-13 a0=bf8f19e8 a1=241 a2=1a4 a3=1a4 items=0 ppid=7535 pid=7536 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="semodule" exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null) type=AVC msg=audit(1154881005.684:65): avc: denied { getattr } for pid=7591 comm="python" name="__init__.py" dev=dm-0 ino=8587951 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1154881005.684:65): arch=40000003 syscall=195 success=no exit=-13 a0=bff360b7 a1=bff35ba4 a2=4abd6ff4 a3=21 items=0 ppid=7590 pid=7591 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1154881005.684:65): path="/usr/share/setroubleshoot/plugins/__init__.py" type=AVC msg=audit(1154881005.748:66): avc: denied { getattr } for pid=7591 comm="python" name="__init__.pyc" dev=dm-0 ino=8587952 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1154881005.748:66): arch=40000003 syscall=195 success=no exit=-13 a0=bff360b7 a1=bff35ba4 a2=4abd6ff4 a3=21 items=0 ppid=1 pid=7591 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1154881005.748:66): path="/usr/share/setroubleshoot/plugins/__init__.pyc" type=DAEMON_END msg=audit(1154881015.289:1851) auditd normal halt, sending auid=500 pid=7605 subj=system_u:system_, auditd pid=1898 type=DAEMON_START msg=audit(1154881017.336:6926) auditd start, ver=1.2.5, format=raw, auid=500 res=success, auditd pid=7620 type=CONFIG_CHANGE msg=audit(1154881017.468:69): audit_backlog_limit=256 old=256 by auid=500 subj=system_u:system_r:auditctl_t:s0 type=CONFIG_CHANGE msg=audit(1154881017.476:70): audit_enabled=1 old=1 by auid=500 subj=system_u:system_r:auditd_t:s0 type=AVC msg=audit(1154881024.357:71): avc: denied { use } for pid=7649 comm="restorecond" name="null" dev=tmpfs ino=1372 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=fd type=AVC msg=audit(1154881024.357:71): avc: denied { use } for pid=7649 comm="restorecond" name="null" dev=tmpfs ino=1372 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=fd type=SYSCALL msg=audit(1154881024.357:71): arch=40000003 syscall=11 success=yes exit=0 a0=83ae870 a1=83ae800 a2=83aea88 a3=83ae608 items=0 ppid=7648 pid=7649 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null) type=AVC_PATH msg=audit(1154881024.357:71): path="/dev/null" type=AVC_PATH msg=audit(1154881024.357:71): path="/dev/null" -- Tom London From selinux at gmail.com Sun Aug 6 16:25:55 2006 From: selinux at gmail.com (Tom London) Date: Sun, 6 Aug 2006 09:25:55 -0700 Subject: borkage during today's updates.... In-Reply-To: <4c4ba1530608060922t4cb845baiea876bd363c8461c@mail.gmail.com> References: <4c4ba1530608060922t4cb845baiea876bd363c8461c@mail.gmail.com> Message-ID: <4c4ba1530608060925t5921c944g8d58b52f2af14363@mail.gmail.com> BTW, no such files: '/etc/selinux/targeted/modules/active/netfilter_contexts' and '/etc/selinux/targeted/contexts/netfilter_contexts'. From paul at city-fan.org Sun Aug 6 18:26:39 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 06 Aug 2006 19:26:39 +0100 Subject: sharing a partition betweed FC3 and FC5 In-Reply-To: References: Message-ID: <1154888799.3187.12.camel@metropolis.intra.city-fan.org> On Sun, 2006-08-06 at 01:38 -0400, D. Hugh Redelmeier wrote: > [I sent this to fedora-list at redhat.com a couple of minutes ago. I > apologize for cross-posting.] > > I installed 32-bit Fedora Core 5 on an Athlon-64 box. I intended this > installation to co-exist with a 64-bit Fedora Core 3 installation. > The two installations share a /home ext3 partition and the swap partition. > This is often how I do upgrades: a dual boot system with both old and > new bootable. > > The problem is that the FC5 installation did something to > the /home partition that prevents the FC3 from mounting it. > > When I manually try a mount of /home from FC3, the useless > mount-failure message is preceded by these messages. I think that > they are the key: > > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > > (In dmesg, these two messages were preceded by these that might be relevant: > kjournald starting. Commit interval 5 seconds > EXT3 FS on hda5, internal journal > EXT3-fs: mounted filesystem with ordered data mode. > SELinux: initialized (dev hda5, type ext3), uses xattr > ) > > (The useless mount failure message is: > mount: wrong fs type, bad option, bad superblock on /dev/hda5 > or too many mounted file systems > This message is disgracefully non-specific.) > > I think that this is a problem with SELinux. The following thread > looks relevant but unhelpful: > http://www.redhat.com/archives/fedora-selinux-list/2006-April/msg00002.html > It provides a solution (I hope) for FC4 but FC3 would not have such an update. I think you're right; the underlying issue is that FC5 file contexts have 4 parts and FC4 and earlier have 3 parts (the extra part being for MLS). The fix for FC4 was to apply a patch so that the kernel could deal with (though probably not use) the MLS part. With FC3 now supported by the Fedora Legacy project, who only usually do updates for security issues, I think the chances of this getting fixed by them for FC3 are slim to none. You might be able to find the MLS patch in the FC4 kernel and see if you could get it to apply on the FC3 kernel though. > I tried using enforcing=0 on the FC3 kernel command line, but nothing changed. > > I thought ext3 was compatible between Fedora releases. Unfortunately, > SELinux seems to have made things a lot more brittle. > > ==> Is there something simple that I can do to allow the existing > /home ext3 partition to be shared between FC3 and FC5? Can't think of any offhand. Paul. From dwalsh at redhat.com Mon Aug 7 03:10:02 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sun, 06 Aug 2006 23:10:02 -0400 Subject: strict error message In-Reply-To: <0D16B287-3276-42AB-92AE-C9A9C2DD94E3@sf-net.com> References: <44D3A728.1040003@mindspring.com> <44D47852.4090604@redhat.com> <0D16B287-3276-42AB-92AE-C9A9C2DD94E3@sf-net.com> Message-ID: <44D6AF0A.5080807@redhat.com> Stefan wrote: >> Remove that apt policy package >> >> semodule -r apt -s strict >> >> in strict policy. > > Is this really a solution? What if someone needs this policy? It sucks > if a policy update comes out and everytime you have to remove this > module. Is there no better way? > > -Stefan > The problem was that strict policy used to ship with this module. I dropped it when I relized apt was not used to install dpkg, on FC packages, but to install rpm packages. So we needed to remove the package and change the context to rpm_exec_t. Problem is that there is no good way for the update procedure to remove a loadable module. (Well I could have removed it in a post install.) From sds at tycho.nsa.gov Mon Aug 7 14:06:50 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 07 Aug 2006 10:06:50 -0400 Subject: sharing a partition betweed FC3 and FC5 In-Reply-To: <1154888799.3187.12.camel@metropolis.intra.city-fan.org> References: <1154888799.3187.12.camel@metropolis.intra.city-fan.org> Message-ID: <1154959610.26697.7.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2006-08-06 at 19:26 +0100, Paul Howarth wrote: > On Sun, 2006-08-06 at 01:38 -0400, D. Hugh Redelmeier wrote: > > [I sent this to fedora-list at redhat.com a couple of minutes ago. I > > apologize for cross-posting.] > > > > I installed 32-bit Fedora Core 5 on an Athlon-64 box. I intended this > > installation to co-exist with a 64-bit Fedora Core 3 installation. > > The two installations share a /home ext3 partition and the swap partition. > > This is often how I do upgrades: a dual boot system with both old and > > new bootable. > > > > The problem is that the FC5 installation did something to > > the /home partition that prevents the FC3 from mounting it. > > > > When I manually try a mount of /home from FC3, the useless > > mount-failure message is preceded by these messages. I think that > > they are the key: > > > > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > > > > (In dmesg, these two messages were preceded by these that might be relevant: > > kjournald starting. Commit interval 5 seconds > > EXT3 FS on hda5, internal journal > > EXT3-fs: mounted filesystem with ordered data mode. > > SELinux: initialized (dev hda5, type ext3), uses xattr > > ) > > > > (The useless mount failure message is: > > mount: wrong fs type, bad option, bad superblock on /dev/hda5 > > or too many mounted file systems > > This message is disgracefully non-specific.) > > > > I think that this is a problem with SELinux. The following thread > > looks relevant but unhelpful: > > http://www.redhat.com/archives/fedora-selinux-list/2006-April/msg00002.html > > It provides a solution (I hope) for FC4 but FC3 would not have such an update. > > I think you're right; the underlying issue is that FC5 file contexts > have 4 parts and FC4 and earlier have 3 parts (the extra part being for > MLS). The fix for FC4 was to apply a patch so that the kernel could deal > with (though probably not use) the MLS part. With FC3 now supported by > the Fedora Legacy project, who only usually do updates for security > issues, I think the chances of this getting fixed by them for FC3 are > slim to none. > > You might be able to find the MLS patch in the FC4 kernel and see if you > could get it to apply on the FC3 kernel though. > > > I tried using enforcing=0 on the FC3 kernel command line, but nothing changed. > > > > I thought ext3 was compatible between Fedora releases. Unfortunately, > > SELinux seems to have made things a lot more brittle. > > > > ==> Is there something simple that I can do to allow the existing > > /home ext3 partition to be shared between FC3 and FC5? > > Can't think of any offhand. Unfortunately, aside from patching your FC3 kernel and rebuilding it, I think your only option is to disable SELinux for FC3 altogether, i.e. boot it with selinux=0 or set SELINUX=disabled in /etc/selinux/config. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Aug 7 14:32:17 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 07 Aug 2006 10:32:17 -0400 Subject: sharing a partition betweed FC3 and FC5 In-Reply-To: <1154959610.26697.7.camel@moss-spartans.epoch.ncsc.mil> References: <1154888799.3187.12.camel@metropolis.intra.city-fan.org> <1154959610.26697.7.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1154961137.26697.26.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-08-07 at 10:06 -0400, Stephen Smalley wrote: > On Sun, 2006-08-06 at 19:26 +0100, Paul Howarth wrote: > > On Sun, 2006-08-06 at 01:38 -0400, D. Hugh Redelmeier wrote: > > > [I sent this to fedora-list at redhat.com a couple of minutes ago. I > > > apologize for cross-posting.] > > > > > > I installed 32-bit Fedora Core 5 on an Athlon-64 box. I intended this > > > installation to co-exist with a 64-bit Fedora Core 3 installation. > > > The two installations share a /home ext3 partition and the swap partition. > > > This is often how I do upgrades: a dual boot system with both old and > > > new bootable. > > > > > > The problem is that the FC5 installation did something to > > > the /home partition that prevents the FC3 from mounting it. > > > > > > When I manually try a mount of /home from FC3, the useless > > > mount-failure message is preceded by these messages. I think that > > > they are the key: > > > > > > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > > > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > > > > > > (In dmesg, these two messages were preceded by these that might be relevant: > > > kjournald starting. Commit interval 5 seconds > > > EXT3 FS on hda5, internal journal > > > EXT3-fs: mounted filesystem with ordered data mode. > > > SELinux: initialized (dev hda5, type ext3), uses xattr > > > ) > > > > > > (The useless mount failure message is: > > > mount: wrong fs type, bad option, bad superblock on /dev/hda5 > > > or too many mounted file systems > > > This message is disgracefully non-specific.) > > > > > > I think that this is a problem with SELinux. The following thread > > > looks relevant but unhelpful: > > > http://www.redhat.com/archives/fedora-selinux-list/2006-April/msg00002.html > > > It provides a solution (I hope) for FC4 but FC3 would not have such an update. > > > > I think you're right; the underlying issue is that FC5 file contexts > > have 4 parts and FC4 and earlier have 3 parts (the extra part being for > > MLS). The fix for FC4 was to apply a patch so that the kernel could deal > > with (though probably not use) the MLS part. With FC3 now supported by > > the Fedora Legacy project, who only usually do updates for security > > issues, I think the chances of this getting fixed by them for FC3 are > > slim to none. > > > > You might be able to find the MLS patch in the FC4 kernel and see if you > > could get it to apply on the FC3 kernel though. > > > > > I tried using enforcing=0 on the FC3 kernel command line, but nothing changed. > > > > > > I thought ext3 was compatible between Fedora releases. Unfortunately, > > > SELinux seems to have made things a lot more brittle. > > > > > > ==> Is there something simple that I can do to allow the existing > > > /home ext3 partition to be shared between FC3 and FC5? > > > > Can't think of any offhand. > > Unfortunately, aside from patching your FC3 kernel and rebuilding it, I > think your only option is to disable SELinux for FC3 altogether, i.e. > boot it with selinux=0 or set SELINUX=disabled in /etc/selinux/config. Note btw that SELinux is broken in FC3 anyway if you ever try using a modern kernel (>= 2.6.14), unless you also update your policy toolchain and policy to something more modern. -- Stephen Smalley National Security Agency From hugh at mimosa.com Mon Aug 7 15:15:07 2006 From: hugh at mimosa.com (D. Hugh Redelmeier) Date: Mon, 7 Aug 2006 11:15:07 -0400 (EDT) Subject: sharing a partition betweed FC3 and FC5 In-Reply-To: <1154959610.26697.7.camel@moss-spartans.epoch.ncsc.mil> References: <1154888799.3187.12.camel@metropolis.intra.city-fan.org> <1154959610.26697.7.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Thanks, Paul and Stepen, for your help. | From: Stephen Smalley | Unfortunately, aside from patching your FC3 kernel and rebuilding it, I | think your only option is to disable SELinux for FC3 altogether, i.e. | boot it with selinux=0 or set SELINUX=disabled in /etc/selinux/config. Am I correct in my guess that after doing this, the next time FC5 is booted, I will have to relabel /home? What is the right way of doing this? (Of course I could disable SELinux in FC5 too.) Is "fixfiles relabel /home" the best choice? In my first message, I mentioned that I got the following messages on the console: inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 ==> What does the error message mean? inode 2 is the root of the filesystem. It appears that kernel routine inode_doinit_with_dentry is calling context_to_sid and context_to_sid is returning EINVAL (because the context was invalid). But even knowing that, I don't know what it actually means or is caused by. From sds at tycho.nsa.gov Mon Aug 7 15:29:55 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 07 Aug 2006 11:29:55 -0400 Subject: sharing a partition betweed FC3 and FC5 In-Reply-To: References: <1154888799.3187.12.camel@metropolis.intra.city-fan.org> <1154959610.26697.7.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1154964595.26697.55.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-08-07 at 11:15 -0400, D. Hugh Redelmeier wrote: > Thanks, Paul and Stepen, for your help. > > | From: Stephen Smalley > > | Unfortunately, aside from patching your FC3 kernel and rebuilding it, I > | think your only option is to disable SELinux for FC3 altogether, i.e. > | boot it with selinux=0 or set SELINUX=disabled in /etc/selinux/config. > > Am I correct in my guess that after doing this, the next time FC5 is > booted, I will have to relabel /home? What is the right way of doing > this? (Of course I could disable SELinux in FC5 too.) Yes, if you keep them sharing /home. > Is "fixfiles relabel /home" the best choice? /sbin/restorecon -R /home should work. > In my first message, I mentioned that I got the following messages on > the console: > > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 > > ==> What does the error message mean? > inode 2 is the root of the filesystem. > It appears that kernel routine inode_doinit_with_dentry is calling context_to_sid > and context_to_sid is returning EINVAL (because the context was invalid). > But even knowing that, I don't know what it actually means or is caused by. Your description is correct; while running FC5, the directory was labeled with the MLS/MCS field (:s0), and the FC3 kernel doesn't understand it. At the time when FC3 was released, the MLS support in SELinux was a compile-time option only and not enabled. By FC5, it had become mainstreamed and turned into a runtime enable based on the policy loaded at boot time. -- Stephen Smalley National Security Agency From shin216 at xf7.so-net.ne.jp Mon Aug 7 21:21:02 2006 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Tue, 08 Aug 2006 06:21:02 +0900 Subject: [ANN]segatex2.02 released !! Message-ID: <1154985662.2473.32.camel@mama.intrajp-yokosuka.co.jp> Hi,all. I made a simple GUI tool, which generates .te file from /var/log/audit/audit.log. It checks all .if files and generates .te with raw permissions which had not been found in .if files. You can download source from https://sourceforge.net/projects/segatex/ It needs C++ Boost library and Qt. Thank you. From selinux at gmail.com Tue Aug 8 14:28:07 2006 From: selinux at gmail.com (Tom London) Date: Tue, 8 Aug 2006 07:28:07 -0700 Subject: setroubleshoot: Import error.... Message-ID: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> Running latest rawhide (setroubleshoot-0.18-1), targeted/enforcing. Get this in /var/log/setroubleshoot/setroubleshoot.log (repeated several times): 2006-08-08 06:59:23,081 [avc.ERROR] Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/setroubleshoot/dispatcher.py", line 152, in HandleAVCS analyze_thread = Analyze(analyze_queue, sigHandler) File "/usr/lib/python2.4/site-packages/setroubleshoot/dispatcher.py", line 23, in __init__ self.plugins = LoadPlugins() File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line 299, in LoadPlugins imp.load_module(pluginBase, *imp.find_module(pluginBase, [pluginRoot])) ImportError: No module named plugins Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/setroubleshoot/dispatcher.py", line 152, in HandleAVCS analyze_thread = Analyze(analyze_queue, sigHandler) File "/usr/lib/python2.4/site-packages/setroubleshoot/dispatcher.py", line 23, in __init__ self.plugins = LoadPlugins() File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line 299, in LoadPlugins imp.load_module(pluginBase, *imp.find_module(pluginBase, [pluginRoot])) ImportError: No module named plugins tom -- Tom London From selinux at gmail.com Tue Aug 8 14:50:35 2006 From: selinux at gmail.com (Tom London) Date: Tue, 8 Aug 2006 07:50:35 -0700 Subject: setroubleshoot: Import error.... In-Reply-To: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> References: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> Message-ID: <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> Sorry, notice this in /var/log/audit/audit.log: type=AVC msg=audit(1155045561.315:7): avc: denied { getattr } for pid=1966 comm="python" name="__init__.py" dev=dm-0 ino=8589037 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1155045561.315:7): arch=40000003 syscall=195 success=no exit=-13 a0=bfd55647 a1=bfd55134 a2=87dff4 a3=21 items=0 ppid=1 pid=1966 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1155045561.315:7): path="/usr/share/setroubleshoot/plugins/__init__.py" type=AVC msg=audit(1155045561.351:8): avc: denied { getattr } for pid=1966 comm="python" name="__init__.pyc" dev=dm-0 ino=8587951 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1155045561.351:8): arch=40000003 syscall=195 success=no exit=-13 a0=bfd55647 a1=bfd55134 a2=87dff4 a3=21 items=0 ppid=1 pid=1966 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1155045561.351:8): path="/usr/share/setroubleshoot/plugins/__init__.pyc" tom From selinux at gmail.com Tue Aug 8 14:59:42 2006 From: selinux at gmail.com (Tom London) Date: Tue, 8 Aug 2006 07:59:42 -0700 Subject: setroubleshoot: Import error.... In-Reply-To: <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> References: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> Message-ID: <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> I tried relabeling everything in /usr/share/setroubleshoot to lib_t and restarting setroubleshoot service. Now get: type=AVC msg=audit(1155049018.305:33): avc: denied { write } for pid=4347 comm="python" name="auditd_sock" dev=dm-0 ino=2785383 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1155049018.305:33): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf9ce780 a2=2db118 a3=0 items=0 ppid=1 pid=4347 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:setroubleshootd_t:s0 key=(null) tom From dwalsh at redhat.com Tue Aug 8 15:21:03 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 08 Aug 2006 11:21:03 -0400 Subject: setroubleshoot: Import error.... In-Reply-To: <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> References: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> Message-ID: <44D8ABDF.2030008@redhat.com> Tom London wrote: > I tried relabeling everything in /usr/share/setroubleshoot to lib_t > and restarting setroubleshoot service. Now get: > > type=AVC msg=audit(1155049018.305:33): avc: denied { write } for > pid=4347 comm="python" name="auditd_sock" dev=dm-0 ino=2785383 > scontext=user_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file > type=SYSCALL msg=audit(1155049018.305:33): arch=40000003 syscall=102 > success=no exit=-13 a0=3 a1=bf9ce780 a2=2db118 a3=0 items=0 ppid=1 > pid=4347 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" > subj=user_u:system_r:setroubleshootd_t:s0 key=(null) > > tom > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Could you try to update to the policy available on ftp://people.redhat.com:dwalsh/SELinux/Fedora From dwalsh at redhat.com Tue Aug 8 15:21:55 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 08 Aug 2006 11:21:55 -0400 Subject: Setroubleshoot question In-Reply-To: <44D403DC.4010004@bellsouth.net> References: <44D403DC.4010004@bellsouth.net> Message-ID: <44D8AC13.1090605@redhat.com> Jay Cliburn wrote: > Is it a bug that setroubleshoot_dispatcher continues to run even when > setroubleshoot is shut off? > setroubleshoot_dispatcher is going away. It is being combined into setroubleshoot. So yes this is a bug. > [[root at osprey ~]# rpm -q setroubleshoot > setroubleshoot-0.16-1 > > root at osprey ~]# service setroubleshoot status > setroubleshoot is stopped > > [root at osprey ~]# ps -ef | grep setrou > root 1783 1770 0 20:55 ? 00:00:00 python > /usr/lib/audit/setroubleshoot_dispatcher > root 2558 2523 0 21:29 pts/0 00:00:00 grep setrou > > [root at osprey ~]# tail -100 /var/log/messages | grep setrouble > Aug 4 20:56:12 osprey setroubleshoot: 2006-08-04 20:56:12,711 > [ipc.ERROR] exiting after [Errno 2] No such file or directory, socket > AlertClient: socket=/var/run/setroubleshoot/setroubleshoot_server > user=None > > Thanks, > Jay > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Tue Aug 8 16:22:05 2006 From: selinux at gmail.com (Tom London) Date: Tue, 8 Aug 2006 09:22:05 -0700 Subject: setroubleshoot: Import error.... In-Reply-To: <44D8ABDF.2030008@redhat.com> References: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> <44D8ABDF.2030008@redhat.com> Message-ID: <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> On 8/8/06, Daniel J Walsh wrote: > Tom London wrote: > > I tried relabeling everything in /usr/share/setroubleshoot to lib_t > > and restarting setroubleshoot service. Now get: > > > > type=AVC msg=audit(1155049018.305:33): avc: denied { write } for > > pid=4347 comm="python" name="auditd_sock" dev=dm-0 ino=2785383 > > scontext=user_u:system_r:setroubleshootd_t:s0 > > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file > > type=SYSCALL msg=audit(1155049018.305:33): arch=40000003 syscall=102 > > success=no exit=-13 a0=3 a1=bf9ce780 a2=2db118 a3=0 items=0 ppid=1 > > pid=4347 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" > > subj=user_u:system_r:setroubleshootd_t:s0 key=(null) > > > > tom > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Could you try to update to the policy available on > ftp://people.redhat.com:dwalsh/SELinux/Fedora > No joy. Get this on the update: (1/2): selinux-policy-2.3 100% |=========================| 291 kB 00:00 (2/2): selinux-policy-tar 100% |=========================| 648 kB 00:02 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : selinux-policy ######################### [1/4] Updating : selinux-policy-targeted ######################### [2/4] libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/netfilter_contexts to /etc/selinux/targeted/contexts/netfilter_contexts. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/netfilter_contexts to /etc/selinux/targeted/contexts/netfilter_contexts. semodule: Failed! Cleanup : selinux-policy ######################### [3/4] Cleanup : selinux-policy-targeted ######################### [4/4] Updated: selinux-policy.noarch 0:2.3.5-1 selinux-policy-targeted.noarch 0:2.3.5-1 Complete! And get this on 'service setroubleshoot start': type=AVC msg=audit(1155053599.312:40): avc: denied { getattr } for pid=3687 comm="python" name="__init__.py" dev=dm-0 ino=8589037 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1155053599.312:40): arch=40000003 syscall=195 success=no exit=-13 a0=bf899217 a1=bf898d04 a2=8e4ff4 a3=21 items=0 ppid=3686 pid=3687 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1155053599.312:40): path="/usr/share/setroubleshoot/plugins/__init__.py" type=AVC msg=audit(1155053599.312:41): avc: denied { getattr } for pid=3687 comm="python" name="__init__.pyc" dev=dm-0 ino=8587951 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1155053599.312:41): arch=40000003 syscall=195 success=no exit=-13 a0=bf899217 a1=bf898d04 a2=8e4ff4 a3=21 items=0 ppid=3686 pid=3687 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1155053599.312:41): path="/usr/share/setroubleshoot/plugins/__init__.pyc" 'chcon -t lib_t /usr/share/setroubleshoot/plugin/*' followed by 'service setrobleshoot start' results in the same: type=AVC msg=audit(1155053762.417:42): avc: denied { write } for pid=3760 comm="python" name="auditd_sock" dev=dm-0 ino=2785383 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1155053762.417:42): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfab15f0 a2=26a118 a3=0 items=0 ppid=3759 pid=3760 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:setroubleshootd_t:s0 key=(null) tom -- Tom London From dwalsh at redhat.com Tue Aug 8 18:48:42 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 08 Aug 2006 14:48:42 -0400 Subject: setroubleshoot: Import error.... In-Reply-To: <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> References: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> <44D8ABDF.2030008@redhat.com> <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> Message-ID: <44D8DC8A.8000006@redhat.com> Tom London wrote: > On 8/8/06, Daniel J Walsh wrote: >> Tom London wrote: >> > I tried relabeling everything in /usr/share/setroubleshoot to lib_t >> > and restarting setroubleshoot service. Now get: >> > >> > type=AVC msg=audit(1155049018.305:33): avc: denied { write } for >> > pid=4347 comm="python" name="auditd_sock" dev=dm-0 ino=2785383 >> > scontext=user_u:system_r:setroubleshootd_t:s0 >> > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file >> > type=SYSCALL msg=audit(1155049018.305:33): arch=40000003 syscall=102 >> > success=no exit=-13 a0=3 a1=bf9ce780 a2=2db118 a3=0 items=0 ppid=1 >> > pid=4347 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" >> > subj=user_u:system_r:setroubleshootd_t:s0 key=(null) >> > >> > tom >> > >> > -- >> > fedora-selinux-list mailing list >> > fedora-selinux-list at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Could you try to update to the policy available on >> ftp://people.redhat.com:dwalsh/SELinux/Fedora >> > No joy. Get this on the update: > > (1/2): selinux-policy-2.3 100% |=========================| 291 kB > 00:00 > (2/2): selinux-policy-tar 100% |=========================| 648 kB > 00:02 > Running Transaction Test > Finished Transaction Test > Transaction Test Succeeded > Running Transaction > Updating : selinux-policy ######################### [1/4] > Updating : selinux-policy-targeted ######################### [2/4] > libsemanage.semanage_install_active: Could not copy > /etc/selinux/targeted/modules/active/netfilter_contexts to > /etc/selinux/targeted/contexts/netfilter_contexts. > libsemanage.semanage_install_active: Could not copy > /etc/selinux/targeted/modules/active/netfilter_contexts to > /etc/selinux/targeted/contexts/netfilter_contexts. > semodule: Failed! > Cleanup : selinux-policy ######################### [3/4] > Cleanup : selinux-policy-targeted ######################### [4/4] > > Updated: selinux-policy.noarch 0:2.3.5-1 > selinux-policy-targeted.noarch 0:2.3.5-1 > Complete! > Try to run the update in permissive mode. setenforce 0 semodule -b /usr/share/selinux/targeted/base.pp setenforce 1 There is a Chicken and Egg situation with the netfiler_contexts problem above, which is not allowing to update policy rules with the proper allows to eliminate this problem. > And get this on 'service setroubleshoot start': > > type=AVC msg=audit(1155053599.312:40): avc: denied { getattr } for > pid=3687 comm="python" name="__init__.py" dev=dm-0 ino=8589037 > scontext=user_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1155053599.312:40): arch=40000003 syscall=195 > success=no exit=-13 a0=bf899217 a1=bf898d04 a2=8e4ff4 a3=21 items=0 > ppid=3686 pid=3687 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" > subj=user_u:system_r:setroubleshootd_t:s0 key=(null) > type=AVC_PATH msg=audit(1155053599.312:40): > path="/usr/share/setroubleshoot/plugins/__init__.py" > type=AVC msg=audit(1155053599.312:41): avc: denied { getattr } for > pid=3687 comm="python" name="__init__.pyc" dev=dm-0 ino=8587951 > scontext=user_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1155053599.312:41): arch=40000003 syscall=195 > success=no exit=-13 a0=bf899217 a1=bf898d04 a2=8e4ff4 a3=21 items=0 > ppid=3686 pid=3687 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" > subj=user_u:system_r:setroubleshootd_t:s0 key=(null) > type=AVC_PATH msg=audit(1155053599.312:41): > path="/usr/share/setroubleshoot/plugins/__init__.pyc" > > 'chcon -t lib_t /usr/share/setroubleshoot/plugin/*' followed by > 'service setrobleshoot start' results in the same: > > type=AVC msg=audit(1155053762.417:42): avc: denied { write } for > pid=3760 comm="python" name="auditd_sock" dev=dm-0 ino=2785383 > scontext=user_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file > type=SYSCALL msg=audit(1155053762.417:42): arch=40000003 syscall=102 > success=no exit=-13 a0=3 a1=bfab15f0 a2=26a118 a3=0 items=0 ppid=3759 > pid=3760 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" > subj=user_u:system_r:setroubleshootd_t:s0 key=(null) > > > tom From selinux at gmail.com Tue Aug 8 19:33:53 2006 From: selinux at gmail.com (Tom London) Date: Tue, 8 Aug 2006 12:33:53 -0700 Subject: setroubleshoot: Import error.... In-Reply-To: <44D8DC8A.8000006@redhat.com> References: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> <44D8ABDF.2030008@redhat.com> <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> <44D8DC8A.8000006@redhat.com> Message-ID: <4c4ba1530608081233n78be1a50w5666d64c78f3ba63@mail.gmail.com> OK, that cleared up the above issues. One last thing: 'service setroubleshoot status' says: setroubleshoot dead but subsys locked [root at localhost contexts]# ps agx | grep setr 11350 ? Ssl 0:00 python /usr/sbin/setroubleshootd 11394 pts/0 S+ 0:00 grep setr [root at localhost contexts]# That right? Should /etc/init.d/setroubleshoot check setroubleshootd (not setroubleshoot)? I changed as below to get 'service setroubleshoot status' to work. Not sure if it is right..... tom --- setroubleshoot 2006-08-07 15:15:34.000000000 -0700 +++ foo 2006-08-08 12:31:59.000000000 -0700 @@ -88,7 +88,7 @@ stop ;; status) - status $prog + status $exe ;; restart) restart From tonynelson at georgeanelson.com Tue Aug 8 20:10:52 2006 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Tue, 8 Aug 2006 16:10:52 -0400 Subject: setroubleshoot: Import error.... In-Reply-To: <44D8DC8A.8000006@redhat.com> References: <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> <44D8ABDF.2030008@redhat.com> <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> Message-ID: At 2:48 PM -0400 8/8/06, Daniel J Walsh wrote: ... >Try to run the update in permissive mode. > >setenforce 0 >semodule -b /usr/share/selinux/targeted/base.pp >setenforce 1 > >There is a Chicken and Egg situation with the netfiler_contexts problem >above, which is not allowing >to update policy rules with the proper allows to eliminate this problem. ... Would it be reasonable for SELinux policy update rpm post-install scripts to do "setenforce 0" before updating (and restore the state after)? ____________________________________________________________________ TonyN.:' ' From dwalsh at redhat.com Tue Aug 8 20:12:09 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 08 Aug 2006 16:12:09 -0400 Subject: setroubleshoot: Import error.... In-Reply-To: <4c4ba1530608081233n78be1a50w5666d64c78f3ba63@mail.gmail.com> References: <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> <44D8ABDF.2030008@redhat.com> <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> <44D8DC8A.8000006@redhat.com> <4c4ba1530608081233n78be1a50w5666d64c78f3ba63@mail.gmail.com> Message-ID: <44D8F019.9040004@redhat.com> Tom London wrote: > OK, that cleared up the above issues. > > One last thing: 'service setroubleshoot status' says: > setroubleshoot dead but subsys locked > > [root at localhost contexts]# ps agx | grep setr > 11350 ? Ssl 0:00 python /usr/sbin/setroubleshootd > 11394 pts/0 S+ 0:00 grep setr > [root at localhost contexts]# > > That right? > > Should /etc/init.d/setroubleshoot check setroubleshootd (not > setroubleshoot)? > > I changed as below to get 'service setroubleshoot status' to work. > Not sure if it is right..... > > tom > > --- setroubleshoot 2006-08-07 15:15:34.000000000 -0700 > +++ foo 2006-08-08 12:31:59.000000000 -0700 > @@ -88,7 +88,7 @@ > stop > ;; > status) > - status $prog > + status $exe > ;; > restart) > restart Yes that is correct. There is a new setroubleshoot out on people also, if you want to try it. From dwalsh at redhat.com Tue Aug 8 20:13:48 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 08 Aug 2006 16:13:48 -0400 Subject: setroubleshoot: Import error.... In-Reply-To: References: <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> <4c4ba1530608080728p39daae7dp4d3aed8fa57f91f4@mail.gmail.com> <4c4ba1530608080750n7b2f024emf40e6ca9685bf043@mail.gmail.com> <4c4ba1530608080759o53274330mecad1ccdff78c253@mail.gmail.com> <44D8ABDF.2030008@redhat.com> <4c4ba1530608080922y6fb41645y5e5be0371bd83f5@mail.gmail.com> Message-ID: <44D8F07C.3080609@redhat.com> Tony Nelson wrote: > At 2:48 PM -0400 8/8/06, Daniel J Walsh wrote: > ... > >> Try to run the update in permissive mode. >> >> setenforce 0 >> semodule -b /usr/share/selinux/targeted/base.pp >> setenforce 1 >> >> There is a Chicken and Egg situation with the netfiler_contexts problem >> above, which is not allowing >> to update policy rules with the proper allows to eliminate this problem. >> > ... > > Would it be reasonable for SELinux policy update rpm post-install scripts > to do "setenforce 0" before updating (and restore the state after)? > No, this would shut down your security during the update, Probably not a good idea. We just need to fix our bugs. :^( > ____________________________________________________________________ > TonyN.:' > ' > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From paul at city-fan.org Wed Aug 9 08:27:50 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 09 Aug 2006 09:27:50 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <44B67BE0.6010802@city-fan.org> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> Message-ID: <1155112070.25659.2.camel@metropolis.intra.city-fan.org> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote: > Daniel J Walsh wrote: > > Paul Howarth wrote: > >> Daniel J Walsh wrote: > >>> Paul Howarth wrote: > >>>> I use mock to build packages for old distributions in a chroot-ed > >>>> environment on my FC5 box. I've pretty well got this working for all > >>>> old > >>>> distributions now apart from FC2 (see > >>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the process > >>>> gets > >>>> off to quite a good start, installing the following packages into the > >>>> chroot: > >>>> > >>>> ============================================================================= > >>>> > >>>> Package Arch Version Repository > >>>> Size > >>>> ============================================================================= > >>>> > >>>> Installing: > >>>> buildsys-build noarch 0.5-1.CF.fc2 groups > >>>> 1.8 k > >>>> Installing for dependencies: > >>>> SysVinit i386 2.85-25 core > >>>> 96 k > >>>> basesystem noarch 8.0-3 core > >>>> 2.7 k > >>>> bash i386 2.05b-38 core > >>>> 1.5 M > >>>> beecrypt i386 3.1.0-3 core > >>>> 64 k > >>>> binutils i386 2.15.90.0.3-5 core > >>>> 2.8 M > >>>> buildsys-macros noarch 2-2.fc2 groups > >>>> 2.1 k > >>>> bzip2 i386 1.0.2-12.1 core > >>>> 48 k > >>>> bzip2-libs i386 1.0.2-12.1 core > >>>> 32 k chkconfig i386 1.3.9-1.1 core > >>>> 99 k > >>>> coreutils i386 5.2.1-7 core > >>>> 2.8 M > >>>> cpio i386 2.5-6 core > >>>> 45 k > >>>> cpp i386 3.3.3-7 core > >>>> 1.4 M > >>>> cracklib i386 2.7-27.1 core > >>>> 26 k > >>>> cracklib-dicts i386 2.7-27.1 core > >>>> 409 k > >>>> db4 i386 4.2.52-3.1 core > >>>> 1.5 M > >>>> dev i386 3.3.13-1 core > >>>> 3.6 M > >>>> diffutils i386 2.8.1-11 core > >>>> 205 k > >>>> e2fsprogs i386 1.35-7.1 core > >>>> 728 k > >>>> elfutils-libelf i386 0.95-2 core > >>>> 36 k > >>>> ethtool i386 1.8-3.1 core > >>>> 48 k > >>>> fedora-release i386 2-4 core > >>>> 92 k > >>>> file i386 4.07-4 core > >>>> 242 k > >>>> filesystem i386 2.2.4-1 core > >>>> 18 k > >>>> findutils i386 1:4.1.7-25 core > >>>> 102 k > >>>> gawk i386 3.1.3-7 core > >>>> 1.5 M > >>>> gcc i386 3.3.3-7 core > >>>> 3.8 M > >>>> gcc-c++ i386 3.3.3-7 core > >>>> 2.0 M > >>>> gdbm i386 1.8.0-22.1 core > >>>> 26 k > >>>> glib i386 1:1.2.10-12.1.1 core > >>>> 134 k > >>>> glib2 i386 2.4.8-1.fc2 updates-released > >>>> 477 k > >>>> glibc i686 2.3.3-27.1 updates-released > >>>> 4.9 M > >>>> glibc-common i386 2.3.3-27.1 updates-released > >>>> 14 M > >>>> glibc-devel i386 2.3.3-27.1 updates-released > >>>> 1.9 M > >>>> glibc-headers i386 2.3.3-27.1 updates-released > >>>> 530 k > >>>> glibc-kernheaders i386 2.4-8.44 core > >>>> 697 k > >>>> grep i386 2.5.1-26 core > >>>> 168 k > >>>> gzip i386 1.3.3-12.2.legacy updates-released > >>>> 88 k > >>>> info i386 4.7-4 updates-released > >>>> 147 k > >>>> initscripts i386 7.55.2-1 updates-released > >>>> 906 k > >>>> iproute i386 2.4.7-14 core > >>>> 591 k > >>>> iputils i386 20020927-13 core > >>>> 92 k > >>>> less i386 382-3 core > >>>> 85 k > >>>> libacl i386 2.2.7-5 core > >>>> 15 k > >>>> libattr i386 2.4.1-4 core > >>>> 8.6 k > >>>> libgcc i386 3.3.3-7 core > >>>> 33 k > >>>> libselinux i386 1.11.4-1 core > >>>> 45 k > >>>> libstdc++ i386 3.3.3-7 core > >>>> 240 k > >>>> libstdc++-devel i386 3.3.3-7 core > >>>> 1.3 M > >>>> libtermcap i386 2.0.8-38 core > >>>> 12 k > >>>> make i386 1:3.80-3 core > >>>> 337 k > >>>> mingetty i386 1.07-2 core > >>>> 18 k > >>>> mktemp i386 2:1.5-7 core > >>>> 12 k > >>>> modutils i386 2.4.26-16 core > >>>> 395 k > >>>> ncurses i386 5.4-5 core > >>>> 1.5 M > >>>> net-tools i386 1.60-25.1 updates-released > >>>> 311 k > >>>> pam i386 0.77-40 core > >>>> 1.9 M > >>>> patch i386 2.5.4-19 core > >>>> 61 k > >>>> pcre i386 4.5-2 core > >>>> 59 k > >>>> perl i386 3:5.8.3-18 core > >>>> 11 M > >>>> perl-Filter i386 1.30-5 core > >>>> 68 k > >>>> popt i386 1.9.1-0.4.1 updates-released > >>>> 61 k > >>>> procps i386 3.2.0-1.2 updates-released > >>>> 176 k > >>>> psmisc i386 21.4-2 core > >>>> 41 k > >>>> redhat-rpm-config noarch 8.0.28-1.1.1 core > >>>> 41 k > >>>> rpm i386 4.3.1-0.4.1 updates-released > >>>> 2.2 M > >>>> rpm-build i386 4.3.1-0.4.1 updates-released > >>>> 437 k > >>>> sed i386 4.0.8-4 core > >>>> 116 k > >>>> setup noarch 2.5.33-1 core > >>>> 29 k > >>>> shadow-utils i386 2:4.0.3-55 updates-released > >>>> 671 k > >>>> sysklogd i386 1.4.1-16 core > >>>> 65 k > >>>> tar i386 1.13.25-14 core > >>>> 351 k > >>>> termcap noarch 11.0.1-18.1 core > >>>> 237 k > >>>> tzdata noarch 2005f-1.fc2 updates-released > >>>> 449 k > >>>> unzip i386 5.50-37 core > >>>> 139 k > >>>> util-linux i386 2.12-19 updates-released > >>>> 1.5 M > >>>> which i386 2.16-2 core > >>>> 21 k > >>>> words noarch 2-22 core > >>>> 137 k > >>>> zlib i386 1.2.1.2-0.fc2 updates-released > >>>> 44 k > >>>> > >>>> After installing all of these packages successfully, the next thing > >>>> that > >>>> happens is: > >>>> > >>>> Executing /usr/sbin/mock-helper > >>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c > >>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild" > >>>> > >>>> and at that point the "useradd" process just hangs indefinitely. I'm > >>>> told that if SELinux is disabled (I've tried permissive mode and that > >>>> doesn't help), this works. I can't see any AVCs in the logs. > >>>> > >>>> Any ideas what might be causing this and how it might be fixed? > >> > >> > >>> In fc2 you should disable SELinux. > >> > >> I'm running this on FC5; what I'm trying to do is set up a chroot with > >> FC2 packages. This includes the FC2 version of useradd, and it's this > >> that's hanging when run in the chroot. > >> > >> I'd happily give things in the chroot the impression that SELinux is > >> disabled (I believe mock actually does this already) but I *really* > >> don't want to disable SELinux on my FC5 host. > >> > >> Paul. > > I have no idea why this would happen then. And I am not sure I believe > > them when they say that if SELinux was disabled this would work > > differently, unless there is a kernel bug. You are not seeing avc > > messages, correct? > > Correct. > > > Usually if it does not work in permissive mode it is > > not an SELinux problem. > > *Usually*... > > I guess I'll have to bite the bullet and try it with SELinux disabled > (so I'll have to relabel my desktop box afterwards, sigh). I know of two > people that have this working with SELinux disabled, and I vaguely > recall it working for me when I was first trying this (with SELinux > disabled, probably a year ago). I've got it working for everything from > RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing > something significantly wrong. I've now got a nice shiny new x86_64 box so at last I've been able to sacrifice my old build system by disabling SELinux on it. My recollection was correct - the mock build for FC2 worked just fine with SELinux disabled. Any thoughts on what might be going on here? Paul. From sds at tycho.nsa.gov Wed Aug 9 12:33:14 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 Aug 2006 08:33:14 -0400 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <1155112070.25659.2.camel@metropolis.intra.city-fan.org> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> Message-ID: <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote: > On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote: > > Daniel J Walsh wrote: > > > Paul Howarth wrote: > > >> Daniel J Walsh wrote: > > >>> Paul Howarth wrote: > > >>>> I use mock to build packages for old distributions in a chroot-ed > > >>>> environment on my FC5 box. I've pretty well got this working for all > > >>>> old > > >>>> distributions now apart from FC2 (see > > >>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the process > > >>>> gets > > >>>> off to quite a good start, installing the following packages into the > > >>>> chroot: > > >>>> > > >>>> ============================================================================= > > >>>> > > >>>> Package Arch Version Repository > > >>>> Size > > >>>> ============================================================================= > > >>>> > > >>>> Installing: > > >>>> buildsys-build noarch 0.5-1.CF.fc2 groups > > >>>> 1.8 k > > >>>> Installing for dependencies: > > >>>> SysVinit i386 2.85-25 core > > >>>> 96 k > > >>>> basesystem noarch 8.0-3 core > > >>>> 2.7 k > > >>>> bash i386 2.05b-38 core > > >>>> 1.5 M > > >>>> beecrypt i386 3.1.0-3 core > > >>>> 64 k > > >>>> binutils i386 2.15.90.0.3-5 core > > >>>> 2.8 M > > >>>> buildsys-macros noarch 2-2.fc2 groups > > >>>> 2.1 k > > >>>> bzip2 i386 1.0.2-12.1 core > > >>>> 48 k > > >>>> bzip2-libs i386 1.0.2-12.1 core > > >>>> 32 k chkconfig i386 1.3.9-1.1 core > > >>>> 99 k > > >>>> coreutils i386 5.2.1-7 core > > >>>> 2.8 M > > >>>> cpio i386 2.5-6 core > > >>>> 45 k > > >>>> cpp i386 3.3.3-7 core > > >>>> 1.4 M > > >>>> cracklib i386 2.7-27.1 core > > >>>> 26 k > > >>>> cracklib-dicts i386 2.7-27.1 core > > >>>> 409 k > > >>>> db4 i386 4.2.52-3.1 core > > >>>> 1.5 M > > >>>> dev i386 3.3.13-1 core > > >>>> 3.6 M > > >>>> diffutils i386 2.8.1-11 core > > >>>> 205 k > > >>>> e2fsprogs i386 1.35-7.1 core > > >>>> 728 k > > >>>> elfutils-libelf i386 0.95-2 core > > >>>> 36 k > > >>>> ethtool i386 1.8-3.1 core > > >>>> 48 k > > >>>> fedora-release i386 2-4 core > > >>>> 92 k > > >>>> file i386 4.07-4 core > > >>>> 242 k > > >>>> filesystem i386 2.2.4-1 core > > >>>> 18 k > > >>>> findutils i386 1:4.1.7-25 core > > >>>> 102 k > > >>>> gawk i386 3.1.3-7 core > > >>>> 1.5 M > > >>>> gcc i386 3.3.3-7 core > > >>>> 3.8 M > > >>>> gcc-c++ i386 3.3.3-7 core > > >>>> 2.0 M > > >>>> gdbm i386 1.8.0-22.1 core > > >>>> 26 k > > >>>> glib i386 1:1.2.10-12.1.1 core > > >>>> 134 k > > >>>> glib2 i386 2.4.8-1.fc2 updates-released > > >>>> 477 k > > >>>> glibc i686 2.3.3-27.1 updates-released > > >>>> 4.9 M > > >>>> glibc-common i386 2.3.3-27.1 updates-released > > >>>> 14 M > > >>>> glibc-devel i386 2.3.3-27.1 updates-released > > >>>> 1.9 M > > >>>> glibc-headers i386 2.3.3-27.1 updates-released > > >>>> 530 k > > >>>> glibc-kernheaders i386 2.4-8.44 core > > >>>> 697 k > > >>>> grep i386 2.5.1-26 core > > >>>> 168 k > > >>>> gzip i386 1.3.3-12.2.legacy updates-released > > >>>> 88 k > > >>>> info i386 4.7-4 updates-released > > >>>> 147 k > > >>>> initscripts i386 7.55.2-1 updates-released > > >>>> 906 k > > >>>> iproute i386 2.4.7-14 core > > >>>> 591 k > > >>>> iputils i386 20020927-13 core > > >>>> 92 k > > >>>> less i386 382-3 core > > >>>> 85 k > > >>>> libacl i386 2.2.7-5 core > > >>>> 15 k > > >>>> libattr i386 2.4.1-4 core > > >>>> 8.6 k > > >>>> libgcc i386 3.3.3-7 core > > >>>> 33 k > > >>>> libselinux i386 1.11.4-1 core > > >>>> 45 k > > >>>> libstdc++ i386 3.3.3-7 core > > >>>> 240 k > > >>>> libstdc++-devel i386 3.3.3-7 core > > >>>> 1.3 M > > >>>> libtermcap i386 2.0.8-38 core > > >>>> 12 k > > >>>> make i386 1:3.80-3 core > > >>>> 337 k > > >>>> mingetty i386 1.07-2 core > > >>>> 18 k > > >>>> mktemp i386 2:1.5-7 core > > >>>> 12 k > > >>>> modutils i386 2.4.26-16 core > > >>>> 395 k > > >>>> ncurses i386 5.4-5 core > > >>>> 1.5 M > > >>>> net-tools i386 1.60-25.1 updates-released > > >>>> 311 k > > >>>> pam i386 0.77-40 core > > >>>> 1.9 M > > >>>> patch i386 2.5.4-19 core > > >>>> 61 k > > >>>> pcre i386 4.5-2 core > > >>>> 59 k > > >>>> perl i386 3:5.8.3-18 core > > >>>> 11 M > > >>>> perl-Filter i386 1.30-5 core > > >>>> 68 k > > >>>> popt i386 1.9.1-0.4.1 updates-released > > >>>> 61 k > > >>>> procps i386 3.2.0-1.2 updates-released > > >>>> 176 k > > >>>> psmisc i386 21.4-2 core > > >>>> 41 k > > >>>> redhat-rpm-config noarch 8.0.28-1.1.1 core > > >>>> 41 k > > >>>> rpm i386 4.3.1-0.4.1 updates-released > > >>>> 2.2 M > > >>>> rpm-build i386 4.3.1-0.4.1 updates-released > > >>>> 437 k > > >>>> sed i386 4.0.8-4 core > > >>>> 116 k > > >>>> setup noarch 2.5.33-1 core > > >>>> 29 k > > >>>> shadow-utils i386 2:4.0.3-55 updates-released > > >>>> 671 k > > >>>> sysklogd i386 1.4.1-16 core > > >>>> 65 k > > >>>> tar i386 1.13.25-14 core > > >>>> 351 k > > >>>> termcap noarch 11.0.1-18.1 core > > >>>> 237 k > > >>>> tzdata noarch 2005f-1.fc2 updates-released > > >>>> 449 k > > >>>> unzip i386 5.50-37 core > > >>>> 139 k > > >>>> util-linux i386 2.12-19 updates-released > > >>>> 1.5 M > > >>>> which i386 2.16-2 core > > >>>> 21 k > > >>>> words noarch 2-22 core > > >>>> 137 k > > >>>> zlib i386 1.2.1.2-0.fc2 updates-released > > >>>> 44 k > > >>>> > > >>>> After installing all of these packages successfully, the next thing > > >>>> that > > >>>> happens is: > > >>>> > > >>>> Executing /usr/sbin/mock-helper > > >>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c > > >>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild" > > >>>> > > >>>> and at that point the "useradd" process just hangs indefinitely. I'm > > >>>> told that if SELinux is disabled (I've tried permissive mode and that > > >>>> doesn't help), this works. I can't see any AVCs in the logs. > > >>>> > > >>>> Any ideas what might be causing this and how it might be fixed? > > >> > > >> > > >>> In fc2 you should disable SELinux. > > >> > > >> I'm running this on FC5; what I'm trying to do is set up a chroot with > > >> FC2 packages. This includes the FC2 version of useradd, and it's this > > >> that's hanging when run in the chroot. > > >> > > >> I'd happily give things in the chroot the impression that SELinux is > > >> disabled (I believe mock actually does this already) but I *really* > > >> don't want to disable SELinux on my FC5 host. > > >> > > >> Paul. > > > I have no idea why this would happen then. And I am not sure I believe > > > them when they say that if SELinux was disabled this would work > > > differently, unless there is a kernel bug. You are not seeing avc > > > messages, correct? > > > > Correct. > > > > > Usually if it does not work in permissive mode it is > > > not an SELinux problem. > > > > *Usually*... > > > > I guess I'll have to bite the bullet and try it with SELinux disabled > > (so I'll have to relabel my desktop box afterwards, sigh). I know of two > > people that have this working with SELinux disabled, and I vaguely > > recall it working for me when I was first trying this (with SELinux > > disabled, probably a year ago). I've got it working for everything from > > RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing > > something significantly wrong. > > I've now got a nice shiny new x86_64 box so at last I've been able to > sacrifice my old build system by disabling SELinux on it. My > recollection was correct - the mock build for FC2 worked just fine with > SELinux disabled. > > Any thoughts on what might be going on here? Did you ever try stracing the useradd process to see what it is doing at the point where it hangs? -- Stephen Smalley National Security Agency From paul at city-fan.org Wed Aug 9 13:27:03 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 09 Aug 2006 14:27:03 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <44D9E2A7.5020201@city-fan.org> Stephen Smalley wrote: > On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote: >> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote: >>> Daniel J Walsh wrote: >>>> Paul Howarth wrote: >>>>> Daniel J Walsh wrote: >>>>>> Paul Howarth wrote: >>>>>>> I use mock to build packages for old distributions in a chroot-ed >>>>>>> environment on my FC5 box. I've pretty well got this working for all >>>>>>> old >>>>>>> distributions now apart from FC2 (see >>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the process >>>>>>> gets >>>>>>> off to quite a good start, installing the following packages into the >>>>>>> chroot: >>>>>>> >>>>>>> ============================================================================= >>>>>>> >>>>>>> Package Arch Version Repository >>>>>>> Size >>>>>>> ============================================================================= >>>>>>> >>>>>>> Installing: >>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups >>>>>>> 1.8 k >>>>>>> Installing for dependencies: >>>>>>> SysVinit i386 2.85-25 core >>>>>>> 96 k >>>>>>> basesystem noarch 8.0-3 core >>>>>>> 2.7 k >>>>>>> bash i386 2.05b-38 core >>>>>>> 1.5 M >>>>>>> beecrypt i386 3.1.0-3 core >>>>>>> 64 k >>>>>>> binutils i386 2.15.90.0.3-5 core >>>>>>> 2.8 M >>>>>>> buildsys-macros noarch 2-2.fc2 groups >>>>>>> 2.1 k >>>>>>> bzip2 i386 1.0.2-12.1 core >>>>>>> 48 k >>>>>>> bzip2-libs i386 1.0.2-12.1 core >>>>>>> 32 k chkconfig i386 1.3.9-1.1 core >>>>>>> 99 k >>>>>>> coreutils i386 5.2.1-7 core >>>>>>> 2.8 M >>>>>>> cpio i386 2.5-6 core >>>>>>> 45 k >>>>>>> cpp i386 3.3.3-7 core >>>>>>> 1.4 M >>>>>>> cracklib i386 2.7-27.1 core >>>>>>> 26 k >>>>>>> cracklib-dicts i386 2.7-27.1 core >>>>>>> 409 k >>>>>>> db4 i386 4.2.52-3.1 core >>>>>>> 1.5 M >>>>>>> dev i386 3.3.13-1 core >>>>>>> 3.6 M >>>>>>> diffutils i386 2.8.1-11 core >>>>>>> 205 k >>>>>>> e2fsprogs i386 1.35-7.1 core >>>>>>> 728 k >>>>>>> elfutils-libelf i386 0.95-2 core >>>>>>> 36 k >>>>>>> ethtool i386 1.8-3.1 core >>>>>>> 48 k >>>>>>> fedora-release i386 2-4 core >>>>>>> 92 k >>>>>>> file i386 4.07-4 core >>>>>>> 242 k >>>>>>> filesystem i386 2.2.4-1 core >>>>>>> 18 k >>>>>>> findutils i386 1:4.1.7-25 core >>>>>>> 102 k >>>>>>> gawk i386 3.1.3-7 core >>>>>>> 1.5 M >>>>>>> gcc i386 3.3.3-7 core >>>>>>> 3.8 M >>>>>>> gcc-c++ i386 3.3.3-7 core >>>>>>> 2.0 M >>>>>>> gdbm i386 1.8.0-22.1 core >>>>>>> 26 k >>>>>>> glib i386 1:1.2.10-12.1.1 core >>>>>>> 134 k >>>>>>> glib2 i386 2.4.8-1.fc2 updates-released >>>>>>> 477 k >>>>>>> glibc i686 2.3.3-27.1 updates-released >>>>>>> 4.9 M >>>>>>> glibc-common i386 2.3.3-27.1 updates-released >>>>>>> 14 M >>>>>>> glibc-devel i386 2.3.3-27.1 updates-released >>>>>>> 1.9 M >>>>>>> glibc-headers i386 2.3.3-27.1 updates-released >>>>>>> 530 k >>>>>>> glibc-kernheaders i386 2.4-8.44 core >>>>>>> 697 k >>>>>>> grep i386 2.5.1-26 core >>>>>>> 168 k >>>>>>> gzip i386 1.3.3-12.2.legacy updates-released >>>>>>> 88 k >>>>>>> info i386 4.7-4 updates-released >>>>>>> 147 k >>>>>>> initscripts i386 7.55.2-1 updates-released >>>>>>> 906 k >>>>>>> iproute i386 2.4.7-14 core >>>>>>> 591 k >>>>>>> iputils i386 20020927-13 core >>>>>>> 92 k >>>>>>> less i386 382-3 core >>>>>>> 85 k >>>>>>> libacl i386 2.2.7-5 core >>>>>>> 15 k >>>>>>> libattr i386 2.4.1-4 core >>>>>>> 8.6 k >>>>>>> libgcc i386 3.3.3-7 core >>>>>>> 33 k >>>>>>> libselinux i386 1.11.4-1 core >>>>>>> 45 k >>>>>>> libstdc++ i386 3.3.3-7 core >>>>>>> 240 k >>>>>>> libstdc++-devel i386 3.3.3-7 core >>>>>>> 1.3 M >>>>>>> libtermcap i386 2.0.8-38 core >>>>>>> 12 k >>>>>>> make i386 1:3.80-3 core >>>>>>> 337 k >>>>>>> mingetty i386 1.07-2 core >>>>>>> 18 k >>>>>>> mktemp i386 2:1.5-7 core >>>>>>> 12 k >>>>>>> modutils i386 2.4.26-16 core >>>>>>> 395 k >>>>>>> ncurses i386 5.4-5 core >>>>>>> 1.5 M >>>>>>> net-tools i386 1.60-25.1 updates-released >>>>>>> 311 k >>>>>>> pam i386 0.77-40 core >>>>>>> 1.9 M >>>>>>> patch i386 2.5.4-19 core >>>>>>> 61 k >>>>>>> pcre i386 4.5-2 core >>>>>>> 59 k >>>>>>> perl i386 3:5.8.3-18 core >>>>>>> 11 M >>>>>>> perl-Filter i386 1.30-5 core >>>>>>> 68 k >>>>>>> popt i386 1.9.1-0.4.1 updates-released >>>>>>> 61 k >>>>>>> procps i386 3.2.0-1.2 updates-released >>>>>>> 176 k >>>>>>> psmisc i386 21.4-2 core >>>>>>> 41 k >>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core >>>>>>> 41 k >>>>>>> rpm i386 4.3.1-0.4.1 updates-released >>>>>>> 2.2 M >>>>>>> rpm-build i386 4.3.1-0.4.1 updates-released >>>>>>> 437 k >>>>>>> sed i386 4.0.8-4 core >>>>>>> 116 k >>>>>>> setup noarch 2.5.33-1 core >>>>>>> 29 k >>>>>>> shadow-utils i386 2:4.0.3-55 updates-released >>>>>>> 671 k >>>>>>> sysklogd i386 1.4.1-16 core >>>>>>> 65 k >>>>>>> tar i386 1.13.25-14 core >>>>>>> 351 k >>>>>>> termcap noarch 11.0.1-18.1 core >>>>>>> 237 k >>>>>>> tzdata noarch 2005f-1.fc2 updates-released >>>>>>> 449 k >>>>>>> unzip i386 5.50-37 core >>>>>>> 139 k >>>>>>> util-linux i386 2.12-19 updates-released >>>>>>> 1.5 M >>>>>>> which i386 2.16-2 core >>>>>>> 21 k >>>>>>> words noarch 2-22 core >>>>>>> 137 k >>>>>>> zlib i386 1.2.1.2-0.fc2 updates-released >>>>>>> 44 k >>>>>>> >>>>>>> After installing all of these packages successfully, the next thing >>>>>>> that >>>>>>> happens is: >>>>>>> >>>>>>> Executing /usr/sbin/mock-helper >>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c >>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild" >>>>>>> >>>>>>> and at that point the "useradd" process just hangs indefinitely. I'm >>>>>>> told that if SELinux is disabled (I've tried permissive mode and that >>>>>>> doesn't help), this works. I can't see any AVCs in the logs. >>>>>>> >>>>>>> Any ideas what might be causing this and how it might be fixed? >>>>> >>>>>> In fc2 you should disable SELinux. >>>>> I'm running this on FC5; what I'm trying to do is set up a chroot with >>>>> FC2 packages. This includes the FC2 version of useradd, and it's this >>>>> that's hanging when run in the chroot. >>>>> >>>>> I'd happily give things in the chroot the impression that SELinux is >>>>> disabled (I believe mock actually does this already) but I *really* >>>>> don't want to disable SELinux on my FC5 host. >>>>> >>>>> Paul. >>>> I have no idea why this would happen then. And I am not sure I believe >>>> them when they say that if SELinux was disabled this would work >>>> differently, unless there is a kernel bug. You are not seeing avc >>>> messages, correct? >>> Correct. >>> >>>> Usually if it does not work in permissive mode it is >>>> not an SELinux problem. >>> *Usually*... >>> >>> I guess I'll have to bite the bullet and try it with SELinux disabled >>> (so I'll have to relabel my desktop box afterwards, sigh). I know of two >>> people that have this working with SELinux disabled, and I vaguely >>> recall it working for me when I was first trying this (with SELinux >>> disabled, probably a year ago). I've got it working for everything from >>> RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing >>> something significantly wrong. >> I've now got a nice shiny new x86_64 box so at last I've been able to >> sacrifice my old build system by disabling SELinux on it. My >> recollection was correct - the mock build for FC2 worked just fine with >> SELinux disabled. >> >> Any thoughts on what might be going on here? > > Did you ever try stracing the useradd process to see what it is doing at > the point where it hangs? It's a bit fiddly to do this for mock because it runs all "root" commands through an SUID helper that checks what it's running. However, by adding the following line to the FC2 mock config line, I think I may have turned something up: config_opts['chroot'] = '/usr/bin/strace /usr/sbin/mock-helper chroot' With this set, the build actually seems to get further than the "useradd", though the "useradd" does in fact fail because the chroot is refused: execve("/usr/sbin/chroot", ["chroot", "/var/lib/mock/fedora-2-i386-core"..., "/bin/su", "-", "root", "-c", "/usr/sbin/useradd -m -u 500 -d /"...], [/* 2 vars */]) = 0 brk(0) = 0x505000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaaab000 uname({sys="Linux", node="metropolis.intra.city-fan.org", ...}) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=84704, ...}) = 0 mmap(NULL, 84704, PROT_READ, MAP_PRIVATE, 5, 0) = 0x2aaaaaaac000 close(5) = 0 open("/lib64/libc.so.6", O_RDONLY) = 5 read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\317\321"..., 832) = 832 fstat(5, {st_mode=S_IFREG|0755, st_size=1653608, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaac1000 mmap(0x30f6d00000, 2392200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x30f6d00000 mprotect(0x30f6e3f000, 1048576, PROT_NONE) = 0 mmap(0x30f6f3f000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x13f000) = 0x30f6f3f000 mmap(0x30f6f44000, 16520, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x30f6f44000 close(5) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaac2000 arch_prctl(ARCH_SET_FS, 0x2aaaaaac2230) = 0 mprotect(0x30f6f3f000, 16384, PROT_READ) = 0 mprotect(0x30f6c19000, 4096, PROT_READ) = 0 munmap(0x2aaaaaaac000, 84704) = 0 brk(0) = 0x505000 brk(0x526000) = 0x526000 chroot("/var/lib/mock/fedora-2-i386-core/root") = -1 EPERM (Operation not permitted) write(2, "chroot: ", 8chroot: ) = 8 write(2, "cannot change root directory to "..., 69cannot change root directory to /var/lib/mock/fedora-2-i386-core/root) = 69 write(2, ": Operation not permitted", 25: Operation not permitted) = 25 write(2, "\n", 1 ) = 1 close(1) = 0 exit_group(1) = ? Process 2287 detached So, any thoughts on why the "Operation not permitted" for the chroot would happen? Is this to do with running under strace, or is it the underlying issue? All "chroot" calls seem to have failed in the trace. Without the strace, I know the "/builddir" directory (which is to be the home directory of the added user) isn't created, so I suspect that running under strace isn't the problem in itself. Paul. From paul at city-fan.org Wed Aug 9 13:41:50 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 09 Aug 2006 14:41:50 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <44D9E2A7.5020201@city-fan.org> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> <44D9E2A7.5020201@city-fan.org> Message-ID: <44D9E61E.2050900@city-fan.org> Paul Howarth wrote: > All "chroot" calls seem to have failed in the trace. > > Without the strace, I know the "/builddir" directory (which is to be the > home directory of the added user) isn't created, so I suspect that > running under strace isn't the problem in itself. Actually I have to take this back. Using the same mock hack for FC3 causes a fail in exactly the same way, with all chroot() calls failing. I think I'll need to hack at the mock-helper code to allow that to invoke strace rather than running the mock-helper under strace itself. Or is that likely to fail in the same way? Paul. From paul at city-fan.org Wed Aug 9 15:28:59 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 09 Aug 2006 16:28:59 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <44D9FF3B.6090202@city-fan.org> Stephen Smalley wrote: > On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote: >> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote: >>> Daniel J Walsh wrote: >>>> Paul Howarth wrote: >>>>> Daniel J Walsh wrote: >>>>>> Paul Howarth wrote: >>>>>>> I use mock to build packages for old distributions in a chroot-ed >>>>>>> environment on my FC5 box. I've pretty well got this working for all >>>>>>> old >>>>>>> distributions now apart from FC2 (see >>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the process >>>>>>> gets >>>>>>> off to quite a good start, installing the following packages into the >>>>>>> chroot: >>>>>>> >>>>>>> ============================================================================= >>>>>>> >>>>>>> Package Arch Version Repository >>>>>>> Size >>>>>>> ============================================================================= >>>>>>> >>>>>>> Installing: >>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups >>>>>>> 1.8 k >>>>>>> Installing for dependencies: >>>>>>> SysVinit i386 2.85-25 core >>>>>>> 96 k >>>>>>> basesystem noarch 8.0-3 core >>>>>>> 2.7 k >>>>>>> bash i386 2.05b-38 core >>>>>>> 1.5 M >>>>>>> beecrypt i386 3.1.0-3 core >>>>>>> 64 k >>>>>>> binutils i386 2.15.90.0.3-5 core >>>>>>> 2.8 M >>>>>>> buildsys-macros noarch 2-2.fc2 groups >>>>>>> 2.1 k >>>>>>> bzip2 i386 1.0.2-12.1 core >>>>>>> 48 k >>>>>>> bzip2-libs i386 1.0.2-12.1 core >>>>>>> 32 k chkconfig i386 1.3.9-1.1 core >>>>>>> 99 k >>>>>>> coreutils i386 5.2.1-7 core >>>>>>> 2.8 M >>>>>>> cpio i386 2.5-6 core >>>>>>> 45 k >>>>>>> cpp i386 3.3.3-7 core >>>>>>> 1.4 M >>>>>>> cracklib i386 2.7-27.1 core >>>>>>> 26 k >>>>>>> cracklib-dicts i386 2.7-27.1 core >>>>>>> 409 k >>>>>>> db4 i386 4.2.52-3.1 core >>>>>>> 1.5 M >>>>>>> dev i386 3.3.13-1 core >>>>>>> 3.6 M >>>>>>> diffutils i386 2.8.1-11 core >>>>>>> 205 k >>>>>>> e2fsprogs i386 1.35-7.1 core >>>>>>> 728 k >>>>>>> elfutils-libelf i386 0.95-2 core >>>>>>> 36 k >>>>>>> ethtool i386 1.8-3.1 core >>>>>>> 48 k >>>>>>> fedora-release i386 2-4 core >>>>>>> 92 k >>>>>>> file i386 4.07-4 core >>>>>>> 242 k >>>>>>> filesystem i386 2.2.4-1 core >>>>>>> 18 k >>>>>>> findutils i386 1:4.1.7-25 core >>>>>>> 102 k >>>>>>> gawk i386 3.1.3-7 core >>>>>>> 1.5 M >>>>>>> gcc i386 3.3.3-7 core >>>>>>> 3.8 M >>>>>>> gcc-c++ i386 3.3.3-7 core >>>>>>> 2.0 M >>>>>>> gdbm i386 1.8.0-22.1 core >>>>>>> 26 k >>>>>>> glib i386 1:1.2.10-12.1.1 core >>>>>>> 134 k >>>>>>> glib2 i386 2.4.8-1.fc2 updates-released >>>>>>> 477 k >>>>>>> glibc i686 2.3.3-27.1 updates-released >>>>>>> 4.9 M >>>>>>> glibc-common i386 2.3.3-27.1 updates-released >>>>>>> 14 M >>>>>>> glibc-devel i386 2.3.3-27.1 updates-released >>>>>>> 1.9 M >>>>>>> glibc-headers i386 2.3.3-27.1 updates-released >>>>>>> 530 k >>>>>>> glibc-kernheaders i386 2.4-8.44 core >>>>>>> 697 k >>>>>>> grep i386 2.5.1-26 core >>>>>>> 168 k >>>>>>> gzip i386 1.3.3-12.2.legacy updates-released >>>>>>> 88 k >>>>>>> info i386 4.7-4 updates-released >>>>>>> 147 k >>>>>>> initscripts i386 7.55.2-1 updates-released >>>>>>> 906 k >>>>>>> iproute i386 2.4.7-14 core >>>>>>> 591 k >>>>>>> iputils i386 20020927-13 core >>>>>>> 92 k >>>>>>> less i386 382-3 core >>>>>>> 85 k >>>>>>> libacl i386 2.2.7-5 core >>>>>>> 15 k >>>>>>> libattr i386 2.4.1-4 core >>>>>>> 8.6 k >>>>>>> libgcc i386 3.3.3-7 core >>>>>>> 33 k >>>>>>> libselinux i386 1.11.4-1 core >>>>>>> 45 k >>>>>>> libstdc++ i386 3.3.3-7 core >>>>>>> 240 k >>>>>>> libstdc++-devel i386 3.3.3-7 core >>>>>>> 1.3 M >>>>>>> libtermcap i386 2.0.8-38 core >>>>>>> 12 k >>>>>>> make i386 1:3.80-3 core >>>>>>> 337 k >>>>>>> mingetty i386 1.07-2 core >>>>>>> 18 k >>>>>>> mktemp i386 2:1.5-7 core >>>>>>> 12 k >>>>>>> modutils i386 2.4.26-16 core >>>>>>> 395 k >>>>>>> ncurses i386 5.4-5 core >>>>>>> 1.5 M >>>>>>> net-tools i386 1.60-25.1 updates-released >>>>>>> 311 k >>>>>>> pam i386 0.77-40 core >>>>>>> 1.9 M >>>>>>> patch i386 2.5.4-19 core >>>>>>> 61 k >>>>>>> pcre i386 4.5-2 core >>>>>>> 59 k >>>>>>> perl i386 3:5.8.3-18 core >>>>>>> 11 M >>>>>>> perl-Filter i386 1.30-5 core >>>>>>> 68 k >>>>>>> popt i386 1.9.1-0.4.1 updates-released >>>>>>> 61 k >>>>>>> procps i386 3.2.0-1.2 updates-released >>>>>>> 176 k >>>>>>> psmisc i386 21.4-2 core >>>>>>> 41 k >>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core >>>>>>> 41 k >>>>>>> rpm i386 4.3.1-0.4.1 updates-released >>>>>>> 2.2 M >>>>>>> rpm-build i386 4.3.1-0.4.1 updates-released >>>>>>> 437 k >>>>>>> sed i386 4.0.8-4 core >>>>>>> 116 k >>>>>>> setup noarch 2.5.33-1 core >>>>>>> 29 k >>>>>>> shadow-utils i386 2:4.0.3-55 updates-released >>>>>>> 671 k >>>>>>> sysklogd i386 1.4.1-16 core >>>>>>> 65 k >>>>>>> tar i386 1.13.25-14 core >>>>>>> 351 k >>>>>>> termcap noarch 11.0.1-18.1 core >>>>>>> 237 k >>>>>>> tzdata noarch 2005f-1.fc2 updates-released >>>>>>> 449 k >>>>>>> unzip i386 5.50-37 core >>>>>>> 139 k >>>>>>> util-linux i386 2.12-19 updates-released >>>>>>> 1.5 M >>>>>>> which i386 2.16-2 core >>>>>>> 21 k >>>>>>> words noarch 2-22 core >>>>>>> 137 k >>>>>>> zlib i386 1.2.1.2-0.fc2 updates-released >>>>>>> 44 k >>>>>>> >>>>>>> After installing all of these packages successfully, the next thing >>>>>>> that >>>>>>> happens is: >>>>>>> >>>>>>> Executing /usr/sbin/mock-helper >>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c >>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild" >>>>>>> >>>>>>> and at that point the "useradd" process just hangs indefinitely. I'm >>>>>>> told that if SELinux is disabled (I've tried permissive mode and that >>>>>>> doesn't help), this works. I can't see any AVCs in the logs. >>>>>>> >>>>>>> Any ideas what might be causing this and how it might be fixed? >>>>> >>>>>> In fc2 you should disable SELinux. >>>>> I'm running this on FC5; what I'm trying to do is set up a chroot with >>>>> FC2 packages. This includes the FC2 version of useradd, and it's this >>>>> that's hanging when run in the chroot. >>>>> >>>>> I'd happily give things in the chroot the impression that SELinux is >>>>> disabled (I believe mock actually does this already) but I *really* >>>>> don't want to disable SELinux on my FC5 host. >>>>> >>>>> Paul. >>>> I have no idea why this would happen then. And I am not sure I believe >>>> them when they say that if SELinux was disabled this would work >>>> differently, unless there is a kernel bug. You are not seeing avc >>>> messages, correct? >>> Correct. >>> >>>> Usually if it does not work in permissive mode it is >>>> not an SELinux problem. >>> *Usually*... >>> >>> I guess I'll have to bite the bullet and try it with SELinux disabled >>> (so I'll have to relabel my desktop box afterwards, sigh). I know of two >>> people that have this working with SELinux disabled, and I vaguely >>> recall it working for me when I was first trying this (with SELinux >>> disabled, probably a year ago). I've got it working for everything from >>> RHL7 through to FC5 targets apart from FC2, so I doubt I'm doing >>> something significantly wrong. >> I've now got a nice shiny new x86_64 box so at last I've been able to >> sacrifice my old build system by disabling SELinux on it. My >> recollection was correct - the mock build for FC2 worked just fine with >> SELinux disabled. >> >> Any thoughts on what might be going on here? > > Did you ever try stracing the useradd process to see what it is doing at > the point where it hangs? Aha. Now we're getting somewhere: open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 open("/proc/filesystems", O_RDONLY) = 5 read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360 open("/proc/self/attr/current", O_RDONLY) = 6 read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26 close(6) = 0 close(5) = 0 open("/proc/self/attr/current", O_RDONLY) = 5 read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26 close(5) = 0 open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or directory) open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or directory) open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such file or directory) ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0 time([-577099120727426906]) = 1155135654 write(2, "Would you like to enter a securi"..., 48Would you like to enter a security context? [y] ) = 48 ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0 read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted) --- SIGTERM (Terminated) @ 0 (0) --- +++ killed by SIGTERM +++ Process 6199 detached Any suggestions on how I get past this request to enter a security context, or better still, have it not ask? Paul. From dwalsh at redhat.com Wed Aug 9 15:38:43 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 09 Aug 2006 11:38:43 -0400 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <44D9FF3B.6090202@city-fan.org> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> <44D9FF3B.6090202@city-fan.org> Message-ID: <44DA0183.2020608@redhat.com> Paul Howarth wrote: > Stephen Smalley wrote: >> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote: >>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote: >>>> Daniel J Walsh wrote: >>>>> Paul Howarth wrote: >>>>>> Daniel J Walsh wrote: >>>>>>> Paul Howarth wrote: >>>>>>>> I use mock to build packages for old distributions in a chroot-ed >>>>>>>> environment on my FC5 box. I've pretty well got this working >>>>>>>> for all old >>>>>>>> distributions now apart from FC2 (see >>>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the >>>>>>>> process gets >>>>>>>> off to quite a good start, installing the following packages >>>>>>>> into the >>>>>>>> chroot: >>>>>>>> >>>>>>>> ============================================================================= >>>>>>>> >>>>>>>> Package Arch Version Repository >>>>>>>> Size >>>>>>>> ============================================================================= >>>>>>>> >>>>>>>> Installing: >>>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups >>>>>>>> 1.8 k >>>>>>>> Installing for dependencies: >>>>>>>> SysVinit i386 2.85-25 core >>>>>>>> 96 k >>>>>>>> basesystem noarch 8.0-3 core >>>>>>>> 2.7 k >>>>>>>> bash i386 2.05b-38 core >>>>>>>> 1.5 M >>>>>>>> beecrypt i386 3.1.0-3 core >>>>>>>> 64 k >>>>>>>> binutils i386 2.15.90.0.3-5 core >>>>>>>> 2.8 M >>>>>>>> buildsys-macros noarch 2-2.fc2 groups >>>>>>>> 2.1 k >>>>>>>> bzip2 i386 1.0.2-12.1 core >>>>>>>> 48 k >>>>>>>> bzip2-libs i386 1.0.2-12.1 core >>>>>>>> 32 k chkconfig i386 1.3.9-1.1 core >>>>>>>> 99 k >>>>>>>> coreutils i386 5.2.1-7 core >>>>>>>> 2.8 M >>>>>>>> cpio i386 2.5-6 core >>>>>>>> 45 k >>>>>>>> cpp i386 3.3.3-7 core >>>>>>>> 1.4 M >>>>>>>> cracklib i386 2.7-27.1 core >>>>>>>> 26 k >>>>>>>> cracklib-dicts i386 2.7-27.1 core >>>>>>>> 409 k >>>>>>>> db4 i386 4.2.52-3.1 core >>>>>>>> 1.5 M >>>>>>>> dev i386 3.3.13-1 core >>>>>>>> 3.6 M >>>>>>>> diffutils i386 2.8.1-11 core >>>>>>>> 205 k >>>>>>>> e2fsprogs i386 1.35-7.1 core >>>>>>>> 728 k >>>>>>>> elfutils-libelf i386 0.95-2 core >>>>>>>> 36 k >>>>>>>> ethtool i386 1.8-3.1 core >>>>>>>> 48 k >>>>>>>> fedora-release i386 2-4 core >>>>>>>> 92 k >>>>>>>> file i386 4.07-4 core >>>>>>>> 242 k >>>>>>>> filesystem i386 2.2.4-1 core >>>>>>>> 18 k >>>>>>>> findutils i386 1:4.1.7-25 core >>>>>>>> 102 k >>>>>>>> gawk i386 3.1.3-7 core >>>>>>>> 1.5 M >>>>>>>> gcc i386 3.3.3-7 core >>>>>>>> 3.8 M >>>>>>>> gcc-c++ i386 3.3.3-7 core >>>>>>>> 2.0 M >>>>>>>> gdbm i386 1.8.0-22.1 core >>>>>>>> 26 k >>>>>>>> glib i386 1:1.2.10-12.1.1 core >>>>>>>> 134 k >>>>>>>> glib2 i386 2.4.8-1.fc2 >>>>>>>> updates-released >>>>>>>> 477 k >>>>>>>> glibc i686 2.3.3-27.1 >>>>>>>> updates-released >>>>>>>> 4.9 M >>>>>>>> glibc-common i386 2.3.3-27.1 >>>>>>>> updates-released >>>>>>>> 14 M >>>>>>>> glibc-devel i386 2.3.3-27.1 >>>>>>>> updates-released >>>>>>>> 1.9 M >>>>>>>> glibc-headers i386 2.3.3-27.1 >>>>>>>> updates-released >>>>>>>> 530 k >>>>>>>> glibc-kernheaders i386 2.4-8.44 core >>>>>>>> 697 k >>>>>>>> grep i386 2.5.1-26 core >>>>>>>> 168 k >>>>>>>> gzip i386 1.3.3-12.2.legacy >>>>>>>> updates-released >>>>>>>> 88 k >>>>>>>> info i386 4.7-4 >>>>>>>> updates-released >>>>>>>> 147 k >>>>>>>> initscripts i386 7.55.2-1 >>>>>>>> updates-released >>>>>>>> 906 k >>>>>>>> iproute i386 2.4.7-14 core >>>>>>>> 591 k >>>>>>>> iputils i386 20020927-13 core >>>>>>>> 92 k >>>>>>>> less i386 382-3 core >>>>>>>> 85 k >>>>>>>> libacl i386 2.2.7-5 core >>>>>>>> 15 k >>>>>>>> libattr i386 2.4.1-4 core >>>>>>>> 8.6 k >>>>>>>> libgcc i386 3.3.3-7 core >>>>>>>> 33 k >>>>>>>> libselinux i386 1.11.4-1 core >>>>>>>> 45 k >>>>>>>> libstdc++ i386 3.3.3-7 core >>>>>>>> 240 k >>>>>>>> libstdc++-devel i386 3.3.3-7 core >>>>>>>> 1.3 M >>>>>>>> libtermcap i386 2.0.8-38 core >>>>>>>> 12 k >>>>>>>> make i386 1:3.80-3 core >>>>>>>> 337 k >>>>>>>> mingetty i386 1.07-2 core >>>>>>>> 18 k >>>>>>>> mktemp i386 2:1.5-7 core >>>>>>>> 12 k >>>>>>>> modutils i386 2.4.26-16 core >>>>>>>> 395 k >>>>>>>> ncurses i386 5.4-5 core >>>>>>>> 1.5 M >>>>>>>> net-tools i386 1.60-25.1 >>>>>>>> updates-released >>>>>>>> 311 k >>>>>>>> pam i386 0.77-40 core >>>>>>>> 1.9 M >>>>>>>> patch i386 2.5.4-19 core >>>>>>>> 61 k >>>>>>>> pcre i386 4.5-2 core >>>>>>>> 59 k >>>>>>>> perl i386 3:5.8.3-18 core >>>>>>>> 11 M >>>>>>>> perl-Filter i386 1.30-5 core >>>>>>>> 68 k >>>>>>>> popt i386 1.9.1-0.4.1 >>>>>>>> updates-released >>>>>>>> 61 k >>>>>>>> procps i386 3.2.0-1.2 >>>>>>>> updates-released >>>>>>>> 176 k >>>>>>>> psmisc i386 21.4-2 core >>>>>>>> 41 k >>>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core >>>>>>>> 41 k >>>>>>>> rpm i386 4.3.1-0.4.1 >>>>>>>> updates-released >>>>>>>> 2.2 M >>>>>>>> rpm-build i386 4.3.1-0.4.1 >>>>>>>> updates-released >>>>>>>> 437 k >>>>>>>> sed i386 4.0.8-4 core >>>>>>>> 116 k >>>>>>>> setup noarch 2.5.33-1 core >>>>>>>> 29 k >>>>>>>> shadow-utils i386 2:4.0.3-55 >>>>>>>> updates-released >>>>>>>> 671 k >>>>>>>> sysklogd i386 1.4.1-16 core >>>>>>>> 65 k >>>>>>>> tar i386 1.13.25-14 core >>>>>>>> 351 k >>>>>>>> termcap noarch 11.0.1-18.1 core >>>>>>>> 237 k >>>>>>>> tzdata noarch 2005f-1.fc2 >>>>>>>> updates-released >>>>>>>> 449 k >>>>>>>> unzip i386 5.50-37 core >>>>>>>> 139 k >>>>>>>> util-linux i386 2.12-19 >>>>>>>> updates-released >>>>>>>> 1.5 M >>>>>>>> which i386 2.16-2 core >>>>>>>> 21 k >>>>>>>> words noarch 2-22 core >>>>>>>> 137 k >>>>>>>> zlib i386 1.2.1.2-0.fc2 >>>>>>>> updates-released >>>>>>>> 44 k >>>>>>>> >>>>>>>> After installing all of these packages successfully, the next >>>>>>>> thing that >>>>>>>> happens is: >>>>>>>> >>>>>>>> Executing /usr/sbin/mock-helper >>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c >>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild" >>>>>>>> >>>>>>>> and at that point the "useradd" process just hangs >>>>>>>> indefinitely. I'm >>>>>>>> told that if SELinux is disabled (I've tried permissive mode >>>>>>>> and that >>>>>>>> doesn't help), this works. I can't see any AVCs in the logs. >>>>>>>> >>>>>>>> Any ideas what might be causing this and how it might be fixed? >>>>>> >>>>>>> In fc2 you should disable SELinux. >>>>>> I'm running this on FC5; what I'm trying to do is set up a chroot >>>>>> with FC2 packages. This includes the FC2 version of useradd, and >>>>>> it's this that's hanging when run in the chroot. >>>>>> >>>>>> I'd happily give things in the chroot the impression that SELinux >>>>>> is disabled (I believe mock actually does this already) but I >>>>>> *really* don't want to disable SELinux on my FC5 host. >>>>>> >>>>>> Paul. >>>>> I have no idea why this would happen then. And I am not sure I >>>>> believe them when they say that if SELinux was disabled this would >>>>> work differently, unless there is a kernel bug. You are not >>>>> seeing avc messages, correct? >>>> Correct. >>>> >>>>> Usually if it does not work in permissive mode it is not an >>>>> SELinux problem. >>>> *Usually*... >>>> >>>> I guess I'll have to bite the bullet and try it with SELinux >>>> disabled (so I'll have to relabel my desktop box afterwards, sigh). >>>> I know of two people that have this working with SELinux disabled, >>>> and I vaguely recall it working for me when I was first trying this >>>> (with SELinux disabled, probably a year ago). I've got it working >>>> for everything from RHL7 through to FC5 targets apart from FC2, so >>>> I doubt I'm doing something significantly wrong. >>> I've now got a nice shiny new x86_64 box so at last I've been able to >>> sacrifice my old build system by disabling SELinux on it. My >>> recollection was correct - the mock build for FC2 worked just fine with >>> SELinux disabled. >>> >>> Any thoughts on what might be going on here? >> >> Did you ever try stracing the useradd process to see what it is doing at >> the point where it hangs? > > Aha. Now we're getting somewhere: > > open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or > directory) > rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 > ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo > ...}) = 0 > open("/proc/filesystems", O_RDONLY) = 5 > read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360 > open("/proc/self/attr/current", O_RDONLY) = 6 > read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26 > close(6) = 0 > close(5) = 0 > open("/proc/self/attr/current", O_RDONLY) = 5 > read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26 > close(5) = 0 > open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or > directory) > open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or > directory) > open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such > file or directory) > ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo > ...}) = 0 > ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo > ...}) = 0 > rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0 > time([-577099120727426906]) = 1155135654 > write(2, "Would you like to enter a securi"..., 48Would you like to > enter a security context? [y] ) = 48 > ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon > echo ...}) = 0 > read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted) > --- SIGTERM (Terminated) @ 0 (0) --- > +++ killed by SIGTERM +++ > Process 6199 detached > > > Any suggestions on how I get past this request to enter a security > context, or better still, have it not ask? > > Paul. Remove multiple from pam_selinux line in /etc/pam.d/su or better yet use runuser. From paul at city-fan.org Wed Aug 9 15:55:35 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 09 Aug 2006 16:55:35 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <44DA0183.2020608@redhat.com> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> <44D9FF3B.6090202@city-fan.org> <44DA0183.2020608@redhat.com> Message-ID: <44DA0577.2020506@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> Stephen Smalley wrote: >>> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote: >>>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote: >>>>> Daniel J Walsh wrote: >>>>>> Paul Howarth wrote: >>>>>>> Daniel J Walsh wrote: >>>>>>>> Paul Howarth wrote: >>>>>>>>> I use mock to build packages for old distributions in a chroot-ed >>>>>>>>> environment on my FC5 box. I've pretty well got this working >>>>>>>>> for all old >>>>>>>>> distributions now apart from FC2 (see >>>>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the >>>>>>>>> process gets >>>>>>>>> off to quite a good start, installing the following packages >>>>>>>>> into the >>>>>>>>> chroot: >>>>>>>>> >>>>>>>>> ============================================================================= >>>>>>>>> >>>>>>>>> Package Arch Version Repository >>>>>>>>> Size >>>>>>>>> ============================================================================= >>>>>>>>> >>>>>>>>> Installing: >>>>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups >>>>>>>>> 1.8 k >>>>>>>>> Installing for dependencies: >>>>>>>>> SysVinit i386 2.85-25 core >>>>>>>>> 96 k >>>>>>>>> basesystem noarch 8.0-3 core >>>>>>>>> 2.7 k >>>>>>>>> bash i386 2.05b-38 core >>>>>>>>> 1.5 M >>>>>>>>> beecrypt i386 3.1.0-3 core >>>>>>>>> 64 k >>>>>>>>> binutils i386 2.15.90.0.3-5 core >>>>>>>>> 2.8 M >>>>>>>>> buildsys-macros noarch 2-2.fc2 groups >>>>>>>>> 2.1 k >>>>>>>>> bzip2 i386 1.0.2-12.1 core >>>>>>>>> 48 k >>>>>>>>> bzip2-libs i386 1.0.2-12.1 core >>>>>>>>> 32 k chkconfig i386 1.3.9-1.1 core >>>>>>>>> 99 k >>>>>>>>> coreutils i386 5.2.1-7 core >>>>>>>>> 2.8 M >>>>>>>>> cpio i386 2.5-6 core >>>>>>>>> 45 k >>>>>>>>> cpp i386 3.3.3-7 core >>>>>>>>> 1.4 M >>>>>>>>> cracklib i386 2.7-27.1 core >>>>>>>>> 26 k >>>>>>>>> cracklib-dicts i386 2.7-27.1 core >>>>>>>>> 409 k >>>>>>>>> db4 i386 4.2.52-3.1 core >>>>>>>>> 1.5 M >>>>>>>>> dev i386 3.3.13-1 core >>>>>>>>> 3.6 M >>>>>>>>> diffutils i386 2.8.1-11 core >>>>>>>>> 205 k >>>>>>>>> e2fsprogs i386 1.35-7.1 core >>>>>>>>> 728 k >>>>>>>>> elfutils-libelf i386 0.95-2 core >>>>>>>>> 36 k >>>>>>>>> ethtool i386 1.8-3.1 core >>>>>>>>> 48 k >>>>>>>>> fedora-release i386 2-4 core >>>>>>>>> 92 k >>>>>>>>> file i386 4.07-4 core >>>>>>>>> 242 k >>>>>>>>> filesystem i386 2.2.4-1 core >>>>>>>>> 18 k >>>>>>>>> findutils i386 1:4.1.7-25 core >>>>>>>>> 102 k >>>>>>>>> gawk i386 3.1.3-7 core >>>>>>>>> 1.5 M >>>>>>>>> gcc i386 3.3.3-7 core >>>>>>>>> 3.8 M >>>>>>>>> gcc-c++ i386 3.3.3-7 core >>>>>>>>> 2.0 M >>>>>>>>> gdbm i386 1.8.0-22.1 core >>>>>>>>> 26 k >>>>>>>>> glib i386 1:1.2.10-12.1.1 core >>>>>>>>> 134 k >>>>>>>>> glib2 i386 2.4.8-1.fc2 >>>>>>>>> updates-released >>>>>>>>> 477 k >>>>>>>>> glibc i686 2.3.3-27.1 >>>>>>>>> updates-released >>>>>>>>> 4.9 M >>>>>>>>> glibc-common i386 2.3.3-27.1 >>>>>>>>> updates-released >>>>>>>>> 14 M >>>>>>>>> glibc-devel i386 2.3.3-27.1 >>>>>>>>> updates-released >>>>>>>>> 1.9 M >>>>>>>>> glibc-headers i386 2.3.3-27.1 >>>>>>>>> updates-released >>>>>>>>> 530 k >>>>>>>>> glibc-kernheaders i386 2.4-8.44 core >>>>>>>>> 697 k >>>>>>>>> grep i386 2.5.1-26 core >>>>>>>>> 168 k >>>>>>>>> gzip i386 1.3.3-12.2.legacy >>>>>>>>> updates-released >>>>>>>>> 88 k >>>>>>>>> info i386 4.7-4 >>>>>>>>> updates-released >>>>>>>>> 147 k >>>>>>>>> initscripts i386 7.55.2-1 >>>>>>>>> updates-released >>>>>>>>> 906 k >>>>>>>>> iproute i386 2.4.7-14 core >>>>>>>>> 591 k >>>>>>>>> iputils i386 20020927-13 core >>>>>>>>> 92 k >>>>>>>>> less i386 382-3 core >>>>>>>>> 85 k >>>>>>>>> libacl i386 2.2.7-5 core >>>>>>>>> 15 k >>>>>>>>> libattr i386 2.4.1-4 core >>>>>>>>> 8.6 k >>>>>>>>> libgcc i386 3.3.3-7 core >>>>>>>>> 33 k >>>>>>>>> libselinux i386 1.11.4-1 core >>>>>>>>> 45 k >>>>>>>>> libstdc++ i386 3.3.3-7 core >>>>>>>>> 240 k >>>>>>>>> libstdc++-devel i386 3.3.3-7 core >>>>>>>>> 1.3 M >>>>>>>>> libtermcap i386 2.0.8-38 core >>>>>>>>> 12 k >>>>>>>>> make i386 1:3.80-3 core >>>>>>>>> 337 k >>>>>>>>> mingetty i386 1.07-2 core >>>>>>>>> 18 k >>>>>>>>> mktemp i386 2:1.5-7 core >>>>>>>>> 12 k >>>>>>>>> modutils i386 2.4.26-16 core >>>>>>>>> 395 k >>>>>>>>> ncurses i386 5.4-5 core >>>>>>>>> 1.5 M >>>>>>>>> net-tools i386 1.60-25.1 >>>>>>>>> updates-released >>>>>>>>> 311 k >>>>>>>>> pam i386 0.77-40 core >>>>>>>>> 1.9 M >>>>>>>>> patch i386 2.5.4-19 core >>>>>>>>> 61 k >>>>>>>>> pcre i386 4.5-2 core >>>>>>>>> 59 k >>>>>>>>> perl i386 3:5.8.3-18 core >>>>>>>>> 11 M >>>>>>>>> perl-Filter i386 1.30-5 core >>>>>>>>> 68 k >>>>>>>>> popt i386 1.9.1-0.4.1 >>>>>>>>> updates-released >>>>>>>>> 61 k >>>>>>>>> procps i386 3.2.0-1.2 >>>>>>>>> updates-released >>>>>>>>> 176 k >>>>>>>>> psmisc i386 21.4-2 core >>>>>>>>> 41 k >>>>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core >>>>>>>>> 41 k >>>>>>>>> rpm i386 4.3.1-0.4.1 >>>>>>>>> updates-released >>>>>>>>> 2.2 M >>>>>>>>> rpm-build i386 4.3.1-0.4.1 >>>>>>>>> updates-released >>>>>>>>> 437 k >>>>>>>>> sed i386 4.0.8-4 core >>>>>>>>> 116 k >>>>>>>>> setup noarch 2.5.33-1 core >>>>>>>>> 29 k >>>>>>>>> shadow-utils i386 2:4.0.3-55 >>>>>>>>> updates-released >>>>>>>>> 671 k >>>>>>>>> sysklogd i386 1.4.1-16 core >>>>>>>>> 65 k >>>>>>>>> tar i386 1.13.25-14 core >>>>>>>>> 351 k >>>>>>>>> termcap noarch 11.0.1-18.1 core >>>>>>>>> 237 k >>>>>>>>> tzdata noarch 2005f-1.fc2 >>>>>>>>> updates-released >>>>>>>>> 449 k >>>>>>>>> unzip i386 5.50-37 core >>>>>>>>> 139 k >>>>>>>>> util-linux i386 2.12-19 >>>>>>>>> updates-released >>>>>>>>> 1.5 M >>>>>>>>> which i386 2.16-2 core >>>>>>>>> 21 k >>>>>>>>> words noarch 2-22 core >>>>>>>>> 137 k >>>>>>>>> zlib i386 1.2.1.2-0.fc2 >>>>>>>>> updates-released >>>>>>>>> 44 k >>>>>>>>> >>>>>>>>> After installing all of these packages successfully, the next >>>>>>>>> thing that >>>>>>>>> happens is: >>>>>>>>> >>>>>>>>> Executing /usr/sbin/mock-helper >>>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c >>>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild" >>>>>>>>> >>>>>>>>> and at that point the "useradd" process just hangs >>>>>>>>> indefinitely. I'm >>>>>>>>> told that if SELinux is disabled (I've tried permissive mode >>>>>>>>> and that >>>>>>>>> doesn't help), this works. I can't see any AVCs in the logs. >>>>>>>>> >>>>>>>>> Any ideas what might be causing this and how it might be fixed? >>>>>>> >>>>>>>> In fc2 you should disable SELinux. >>>>>>> I'm running this on FC5; what I'm trying to do is set up a chroot >>>>>>> with FC2 packages. This includes the FC2 version of useradd, and >>>>>>> it's this that's hanging when run in the chroot. >>>>>>> >>>>>>> I'd happily give things in the chroot the impression that SELinux >>>>>>> is disabled (I believe mock actually does this already) but I >>>>>>> *really* don't want to disable SELinux on my FC5 host. >>>>>>> >>>>>>> Paul. >>>>>> I have no idea why this would happen then. And I am not sure I >>>>>> believe them when they say that if SELinux was disabled this would >>>>>> work differently, unless there is a kernel bug. You are not >>>>>> seeing avc messages, correct? >>>>> Correct. >>>>> >>>>>> Usually if it does not work in permissive mode it is not an >>>>>> SELinux problem. >>>>> *Usually*... >>>>> >>>>> I guess I'll have to bite the bullet and try it with SELinux >>>>> disabled (so I'll have to relabel my desktop box afterwards, sigh). >>>>> I know of two people that have this working with SELinux disabled, >>>>> and I vaguely recall it working for me when I was first trying this >>>>> (with SELinux disabled, probably a year ago). I've got it working >>>>> for everything from RHL7 through to FC5 targets apart from FC2, so >>>>> I doubt I'm doing something significantly wrong. >>>> I've now got a nice shiny new x86_64 box so at last I've been able to >>>> sacrifice my old build system by disabling SELinux on it. My >>>> recollection was correct - the mock build for FC2 worked just fine with >>>> SELinux disabled. >>>> >>>> Any thoughts on what might be going on here? >>> >>> Did you ever try stracing the useradd process to see what it is doing at >>> the point where it hangs? >> >> Aha. Now we're getting somewhere: >> >> open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or >> directory) >> rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 >> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo >> ...}) = 0 >> open("/proc/filesystems", O_RDONLY) = 5 >> read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360 >> open("/proc/self/attr/current", O_RDONLY) = 6 >> read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26 >> close(6) = 0 >> close(5) = 0 >> open("/proc/self/attr/current", O_RDONLY) = 5 >> read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26 >> close(5) = 0 >> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or >> directory) >> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or >> directory) >> open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such >> file or directory) >> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo >> ...}) = 0 >> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo >> ...}) = 0 >> rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0 >> time([-577099120727426906]) = 1155135654 >> write(2, "Would you like to enter a securi"..., 48Would you like to >> enter a security context? [y] ) = 48 >> ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon >> echo ...}) = 0 >> read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be restarted) >> --- SIGTERM (Terminated) @ 0 (0) --- >> +++ killed by SIGTERM +++ >> Process 6199 detached >> >> >> Any suggestions on how I get past this request to enter a security >> context, or better still, have it not ask? >> >> Paul. > Remove multiple from pam_selinux line in /etc/pam.d/su or better yet use > runuser. FC2 doesn't have runuser, which is why we need to use su here. I should be able to fix /etc/pam.d/su by patching the FC2 coreutils package to remove the "multiple"; what's that actually do? Mock includes a dummy libselinux that works for FC3 onwards in convincing programs running in the chroot that selinux is disabled: #include extern int is_selinux_enabled(void) { /* always return 0; this way we don't trigger any SELINUX calls */ return 0; } /* this function gives failures when installing basic rpms in the root; * so we fake it out as well */ extern int lsetfilecon(const char *path, security_context_t con) { return 0; } Why does this not seem to be working for FC2? Paul. From paul at city-fan.org Wed Aug 9 17:28:33 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 09 Aug 2006 18:28:33 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <44DA0577.2020506@city-fan.org> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> <44D9FF3B.6090202@city-fan.org> <44DA0183.2020608@redhat.com> <44DA0577.2020506@city-fan.org> Message-ID: <44DA1B41.70905@city-fan.org> Paul Howarth wrote: > Daniel J Walsh wrote: >> Paul Howarth wrote: >>> Stephen Smalley wrote: >>>> On Wed, 2006-08-09 at 09:27 +0100, Paul Howarth wrote: >>>>> On Thu, 2006-07-13 at 17:59 +0100, Paul Howarth wrote: >>>>>> Daniel J Walsh wrote: >>>>>>> Paul Howarth wrote: >>>>>>>> Daniel J Walsh wrote: >>>>>>>>> Paul Howarth wrote: >>>>>>>>>> I use mock to build packages for old distributions in a chroot-ed >>>>>>>>>> environment on my FC5 box. I've pretty well got this working >>>>>>>>>> for all old >>>>>>>>>> distributions now apart from FC2 (see >>>>>>>>>> http://www.fedoraproject.org/wiki/Legacy/Mock). On FC2, the >>>>>>>>>> process gets >>>>>>>>>> off to quite a good start, installing the following packages >>>>>>>>>> into the >>>>>>>>>> chroot: >>>>>>>>>> >>>>>>>>>> ============================================================================= >>>>>>>>>> >>>>>>>>>> Package Arch Version Repository >>>>>>>>>> Size >>>>>>>>>> ============================================================================= >>>>>>>>>> >>>>>>>>>> Installing: >>>>>>>>>> buildsys-build noarch 0.5-1.CF.fc2 groups >>>>>>>>>> 1.8 k >>>>>>>>>> Installing for dependencies: >>>>>>>>>> SysVinit i386 2.85-25 core >>>>>>>>>> 96 k >>>>>>>>>> basesystem noarch 8.0-3 core >>>>>>>>>> 2.7 k >>>>>>>>>> bash i386 2.05b-38 core >>>>>>>>>> 1.5 M >>>>>>>>>> beecrypt i386 3.1.0-3 core >>>>>>>>>> 64 k >>>>>>>>>> binutils i386 2.15.90.0.3-5 core >>>>>>>>>> 2.8 M >>>>>>>>>> buildsys-macros noarch 2-2.fc2 groups >>>>>>>>>> 2.1 k >>>>>>>>>> bzip2 i386 1.0.2-12.1 core >>>>>>>>>> 48 k >>>>>>>>>> bzip2-libs i386 1.0.2-12.1 core >>>>>>>>>> 32 k chkconfig i386 1.3.9-1.1 core >>>>>>>>>> 99 k >>>>>>>>>> coreutils i386 5.2.1-7 core >>>>>>>>>> 2.8 M >>>>>>>>>> cpio i386 2.5-6 core >>>>>>>>>> 45 k >>>>>>>>>> cpp i386 3.3.3-7 core >>>>>>>>>> 1.4 M >>>>>>>>>> cracklib i386 2.7-27.1 core >>>>>>>>>> 26 k >>>>>>>>>> cracklib-dicts i386 2.7-27.1 core >>>>>>>>>> 409 k >>>>>>>>>> db4 i386 4.2.52-3.1 core >>>>>>>>>> 1.5 M >>>>>>>>>> dev i386 3.3.13-1 core >>>>>>>>>> 3.6 M >>>>>>>>>> diffutils i386 2.8.1-11 core >>>>>>>>>> 205 k >>>>>>>>>> e2fsprogs i386 1.35-7.1 core >>>>>>>>>> 728 k >>>>>>>>>> elfutils-libelf i386 0.95-2 core >>>>>>>>>> 36 k >>>>>>>>>> ethtool i386 1.8-3.1 core >>>>>>>>>> 48 k >>>>>>>>>> fedora-release i386 2-4 core >>>>>>>>>> 92 k >>>>>>>>>> file i386 4.07-4 core >>>>>>>>>> 242 k >>>>>>>>>> filesystem i386 2.2.4-1 core >>>>>>>>>> 18 k >>>>>>>>>> findutils i386 1:4.1.7-25 core >>>>>>>>>> 102 k >>>>>>>>>> gawk i386 3.1.3-7 core >>>>>>>>>> 1.5 M >>>>>>>>>> gcc i386 3.3.3-7 core >>>>>>>>>> 3.8 M >>>>>>>>>> gcc-c++ i386 3.3.3-7 core >>>>>>>>>> 2.0 M >>>>>>>>>> gdbm i386 1.8.0-22.1 core >>>>>>>>>> 26 k >>>>>>>>>> glib i386 1:1.2.10-12.1.1 core >>>>>>>>>> 134 k >>>>>>>>>> glib2 i386 2.4.8-1.fc2 >>>>>>>>>> updates-released >>>>>>>>>> 477 k >>>>>>>>>> glibc i686 2.3.3-27.1 >>>>>>>>>> updates-released >>>>>>>>>> 4.9 M >>>>>>>>>> glibc-common i386 2.3.3-27.1 >>>>>>>>>> updates-released >>>>>>>>>> 14 M >>>>>>>>>> glibc-devel i386 2.3.3-27.1 >>>>>>>>>> updates-released >>>>>>>>>> 1.9 M >>>>>>>>>> glibc-headers i386 2.3.3-27.1 >>>>>>>>>> updates-released >>>>>>>>>> 530 k >>>>>>>>>> glibc-kernheaders i386 2.4-8.44 core >>>>>>>>>> 697 k >>>>>>>>>> grep i386 2.5.1-26 core >>>>>>>>>> 168 k >>>>>>>>>> gzip i386 1.3.3-12.2.legacy >>>>>>>>>> updates-released >>>>>>>>>> 88 k >>>>>>>>>> info i386 4.7-4 >>>>>>>>>> updates-released >>>>>>>>>> 147 k >>>>>>>>>> initscripts i386 7.55.2-1 >>>>>>>>>> updates-released >>>>>>>>>> 906 k >>>>>>>>>> iproute i386 2.4.7-14 core >>>>>>>>>> 591 k >>>>>>>>>> iputils i386 20020927-13 core >>>>>>>>>> 92 k >>>>>>>>>> less i386 382-3 core >>>>>>>>>> 85 k >>>>>>>>>> libacl i386 2.2.7-5 core >>>>>>>>>> 15 k >>>>>>>>>> libattr i386 2.4.1-4 core >>>>>>>>>> 8.6 k >>>>>>>>>> libgcc i386 3.3.3-7 core >>>>>>>>>> 33 k >>>>>>>>>> libselinux i386 1.11.4-1 core >>>>>>>>>> 45 k >>>>>>>>>> libstdc++ i386 3.3.3-7 core >>>>>>>>>> 240 k >>>>>>>>>> libstdc++-devel i386 3.3.3-7 core >>>>>>>>>> 1.3 M >>>>>>>>>> libtermcap i386 2.0.8-38 core >>>>>>>>>> 12 k >>>>>>>>>> make i386 1:3.80-3 core >>>>>>>>>> 337 k >>>>>>>>>> mingetty i386 1.07-2 core >>>>>>>>>> 18 k >>>>>>>>>> mktemp i386 2:1.5-7 core >>>>>>>>>> 12 k >>>>>>>>>> modutils i386 2.4.26-16 core >>>>>>>>>> 395 k >>>>>>>>>> ncurses i386 5.4-5 core >>>>>>>>>> 1.5 M >>>>>>>>>> net-tools i386 1.60-25.1 >>>>>>>>>> updates-released >>>>>>>>>> 311 k >>>>>>>>>> pam i386 0.77-40 core >>>>>>>>>> 1.9 M >>>>>>>>>> patch i386 2.5.4-19 core >>>>>>>>>> 61 k >>>>>>>>>> pcre i386 4.5-2 core >>>>>>>>>> 59 k >>>>>>>>>> perl i386 3:5.8.3-18 core >>>>>>>>>> 11 M >>>>>>>>>> perl-Filter i386 1.30-5 core >>>>>>>>>> 68 k >>>>>>>>>> popt i386 1.9.1-0.4.1 >>>>>>>>>> updates-released >>>>>>>>>> 61 k >>>>>>>>>> procps i386 3.2.0-1.2 >>>>>>>>>> updates-released >>>>>>>>>> 176 k >>>>>>>>>> psmisc i386 21.4-2 core >>>>>>>>>> 41 k >>>>>>>>>> redhat-rpm-config noarch 8.0.28-1.1.1 core >>>>>>>>>> 41 k >>>>>>>>>> rpm i386 4.3.1-0.4.1 >>>>>>>>>> updates-released >>>>>>>>>> 2.2 M >>>>>>>>>> rpm-build i386 4.3.1-0.4.1 >>>>>>>>>> updates-released >>>>>>>>>> 437 k >>>>>>>>>> sed i386 4.0.8-4 core >>>>>>>>>> 116 k >>>>>>>>>> setup noarch 2.5.33-1 core >>>>>>>>>> 29 k >>>>>>>>>> shadow-utils i386 2:4.0.3-55 >>>>>>>>>> updates-released >>>>>>>>>> 671 k >>>>>>>>>> sysklogd i386 1.4.1-16 core >>>>>>>>>> 65 k >>>>>>>>>> tar i386 1.13.25-14 core >>>>>>>>>> 351 k >>>>>>>>>> termcap noarch 11.0.1-18.1 core >>>>>>>>>> 237 k >>>>>>>>>> tzdata noarch 2005f-1.fc2 >>>>>>>>>> updates-released >>>>>>>>>> 449 k >>>>>>>>>> unzip i386 5.50-37 core >>>>>>>>>> 139 k >>>>>>>>>> util-linux i386 2.12-19 >>>>>>>>>> updates-released >>>>>>>>>> 1.5 M >>>>>>>>>> which i386 2.16-2 core >>>>>>>>>> 21 k >>>>>>>>>> words noarch 2-22 core >>>>>>>>>> 137 k >>>>>>>>>> zlib i386 1.2.1.2-0.fc2 >>>>>>>>>> updates-released >>>>>>>>>> 44 k >>>>>>>>>> >>>>>>>>>> After installing all of these packages successfully, the next >>>>>>>>>> thing that >>>>>>>>>> happens is: >>>>>>>>>> >>>>>>>>>> Executing /usr/sbin/mock-helper >>>>>>>>>> chroot /var/lib/mock/fedora-2-i386-core/root /bin/su - root -c >>>>>>>>>> "/usr/sbin/useradd -m -u 500 -d /builddir mockbuild" >>>>>>>>>> >>>>>>>>>> and at that point the "useradd" process just hangs >>>>>>>>>> indefinitely. I'm >>>>>>>>>> told that if SELinux is disabled (I've tried permissive mode >>>>>>>>>> and that >>>>>>>>>> doesn't help), this works. I can't see any AVCs in the logs. >>>>>>>>>> >>>>>>>>>> Any ideas what might be causing this and how it might be fixed? >>>>>>>> >>>>>>>>> In fc2 you should disable SELinux. >>>>>>>> I'm running this on FC5; what I'm trying to do is set up a >>>>>>>> chroot with FC2 packages. This includes the FC2 version of >>>>>>>> useradd, and it's this that's hanging when run in the chroot. >>>>>>>> >>>>>>>> I'd happily give things in the chroot the impression that >>>>>>>> SELinux is disabled (I believe mock actually does this already) >>>>>>>> but I *really* don't want to disable SELinux on my FC5 host. >>>>>>>> >>>>>>>> Paul. >>>>>>> I have no idea why this would happen then. And I am not sure I >>>>>>> believe them when they say that if SELinux was disabled this >>>>>>> would work differently, unless there is a kernel bug. You are >>>>>>> not seeing avc messages, correct? >>>>>> Correct. >>>>>> >>>>>>> Usually if it does not work in permissive mode it is not an >>>>>>> SELinux problem. >>>>>> *Usually*... >>>>>> >>>>>> I guess I'll have to bite the bullet and try it with SELinux >>>>>> disabled (so I'll have to relabel my desktop box afterwards, >>>>>> sigh). I know of two people that have this working with SELinux >>>>>> disabled, and I vaguely recall it working for me when I was first >>>>>> trying this (with SELinux disabled, probably a year ago). I've got >>>>>> it working for everything from RHL7 through to FC5 targets apart >>>>>> from FC2, so I doubt I'm doing something significantly wrong. >>>>> I've now got a nice shiny new x86_64 box so at last I've been able to >>>>> sacrifice my old build system by disabling SELinux on it. My >>>>> recollection was correct - the mock build for FC2 worked just fine >>>>> with >>>>> SELinux disabled. >>>>> >>>>> Any thoughts on what might be going on here? >>>> >>>> Did you ever try stracing the useradd process to see what it is >>>> doing at >>>> the point where it hangs? >>> >>> Aha. Now we're getting somewhere: >>> >>> open("/dev/console", O_WRONLY|O_NOCTTY) = -1 ENOENT (No such file or >>> directory) >>> rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 >>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon >>> echo ...}) = 0 >>> open("/proc/filesystems", O_RDONLY) = 5 >>> read(5, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 360 >>> open("/proc/self/attr/current", O_RDONLY) = 6 >>> read(6, "user_u:system_r:mock_t:s0\0", 4095) = 26 >>> close(6) = 0 >>> close(5) = 0 >>> open("/proc/self/attr/current", O_RDONLY) = 5 >>> read(5, "user_u:system_r:mock_t:s0\0", 4095) = 26 >>> close(5) = 0 >>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or >>> directory) >>> open("/selinux/user", O_RDWR) = -1 ENOENT (No such file or >>> directory) >>> open("/etc/security/failsafe_context", O_RDONLY) = -1 ENOENT (No such >>> file or directory) >>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon >>> echo ...}) = 0 >>> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon >>> echo ...}) = 0 >>> rt_sigprocmask(SIG_BLOCK, [INT TSTP], [], 8) = 0 >>> time([-577099120727426906]) = 1155135654 >>> write(2, "Would you like to enter a securi"..., 48Would you like to >>> enter a security context? [y] ) = 48 >>> ioctl(0, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon >>> echo ...}) = 0 >>> read(0, 0xff90f920, 511) = ? ERESTARTSYS (To be >>> restarted) >>> --- SIGTERM (Terminated) @ 0 (0) --- >>> +++ killed by SIGTERM +++ >>> Process 6199 detached >>> >>> >>> Any suggestions on how I get past this request to enter a security >>> context, or better still, have it not ask? >>> >>> Paul. >> Remove multiple from pam_selinux line in /etc/pam.d/su or better yet >> use runuser. > > FC2 doesn't have runuser, which is why we need to use su here. > > I should be able to fix /etc/pam.d/su by patching the FC2 coreutils > package to remove the "multiple"; what's that actually do? This didn't work. Fails in exactly the same way as before. I do see attempted reads of the non-existent files: /selinux/access /selinux/enforce /selinux/user /etc/security/failsafe_context and I see a read of /proc/self/attr/current returning user_u:system_r:mock_t:s0, which clearly isn't going to be appropriate for a process running in an FC2 chroot. Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? Is that likely to break anything? Any other way of persuading an FC2 system that SELinux is disabled? Paul. From emeric.maschino at jouy.inra.fr Wed Aug 9 19:12:01 2006 From: emeric.maschino at jouy.inra.fr (=?iso-8859-1?b?yW1lcmlj?= Maschino) Date: Wed, 09 Aug 2006 21:12:01 +0200 Subject: {a|min}getty/wtmp AVCs Message-ID: <1155150721.44da338142774@www.jouy.inra.fr> Hi, I'm getting the following AVCs on my Itanium system (selinux-policy-targeted-2.3.6-1). Are they also noticeable on other architectures? audit(1155148758.991:4): avc: denied { write } for pid=2382 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148758.991:5): avc: denied { write } for pid=2383 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148759.411:6): avc: denied { write } for pid=2384 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148759.627:7): avc: denied { write } for pid=2385 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148759.627:8): avc: denied { write } for pid=2381 comm="agetty" nam e="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=syst em_u:object_r:var_log_t:s0 tclass=file audit(1155148760.063:9): avc: denied { write } for pid=2386 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148760.199:10): avc: denied { write } for pid=2387 comm="mingetty" name="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=s ystem_u:object_r:var_log_t:s0 tclass=file Cheers, ?meric From sds at tycho.nsa.gov Wed Aug 9 19:41:38 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 Aug 2006 15:41:38 -0400 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <44DA1B41.70905@city-fan.org> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> <44D9FF3B.6090202@city-fan.org> <44DA0183.2020608@redhat.com> <44DA0577.2020506@city-fan.org> <44DA1B41.70905@city-fan.org> Message-ID: <1155152498.1123.245.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-08-09 at 18:28 +0100, Paul Howarth wrote: > Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? > Is that likely to break anything? Any other way of persuading an FC2 > system that SELinux is disabled? Removing it should be fine (and has already happened in FC5). I'm not clear on the cause though - pam_selinux returns immediately with PAM_SUCCESS if is_selinux_enabled() returns <= 0. -- Stephen Smalley National Security Agency From paul at city-fan.org Wed Aug 9 22:05:49 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 09 Aug 2006 23:05:49 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <1155152498.1123.245.camel@moss-spartans.epoch.ncsc.mil> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> <44D9FF3B.6090202@city-fan.org> <44DA0183.2020608@redhat.com> <44DA0577.2020506@city-fan.org> <44DA1B41.70905@city-fan.org> <1155152498.1123.245.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1155161149.8161.2.camel@metropolis.intra.city-fan.org> On Wed, 2006-08-09 at 15:41 -0400, Stephen Smalley wrote: > On Wed, 2006-08-09 at 18:28 +0100, Paul Howarth wrote: > > Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? > > Is that likely to break anything? Any other way of persuading an FC2 > > system that SELinux is disabled? > > Removing it should be fine (and has already happened in FC5). I'm not > clear on the cause though - pam_selinux returns immediately with > PAM_SUCCESS if is_selinux_enabled() returns <= 0. It got further with that line removed, and now hangs when trying to run rpm as the user "mockbuild" that was added by "useradd". This appears to be the first chroot command that's not running as root. It's not obvious to me what it's waiting for. Mock root log, with straces of all chroot commands attached. Paul. -------------- next part -------------- A non-text attachment was scrubbed... Name: fc2-root.log.bz2 Type: application/x-bzip Size: 11775 bytes Desc: not available URL: From paul at city-fan.org Thu Aug 10 11:39:08 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 10 Aug 2006 12:39:08 +0100 Subject: sendmail aliases context Message-ID: <44DB1ADC.5060702@city-fan.org> Upstream sendmail has aliases in /etc/mail/aliases(.db)? rather than /etc/aliases(.db)? I therefore suggest adding the following contexts to policy for the benefit those of us rolling our own sendmail packages: /etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) Paul, From dwalsh at redhat.com Thu Aug 10 14:05:30 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 10 Aug 2006 10:05:30 -0400 Subject: {a|min}getty/wtmp AVCs In-Reply-To: <1155150721.44da338142774@www.jouy.inra.fr> References: <1155150721.44da338142774@www.jouy.inra.fr> Message-ID: <44DB3D2A.5030806@redhat.com> ?meric Maschino wrote: > Hi, > > I'm getting the following AVCs on my Itanium system > (selinux-policy-targeted-2.3.6-1). Are they also noticeable on other > architectures? > > audit(1155148758.991:4): avc: denied { write } for pid=2382 comm="mingetty" n > ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy > stem_u:object_r:var_log_t:s0 tclass=file > audit(1155148758.991:5): avc: denied { write } for pid=2383 comm="mingetty" n > ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy > stem_u:object_r:var_log_t:s0 tclass=file > audit(1155148759.411:6): avc: denied { write } for pid=2384 comm="mingetty" n > ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy > stem_u:object_r:var_log_t:s0 tclass=file > audit(1155148759.627:7): avc: denied { write } for pid=2385 comm="mingetty" n > ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy > stem_u:object_r:var_log_t:s0 tclass=file > audit(1155148759.627:8): avc: denied { write } for pid=2381 comm="agetty" nam > e="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=syst > em_u:object_r:var_log_t:s0 tclass=file > audit(1155148760.063:9): avc: denied { write } for pid=2386 comm="mingetty" n > ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy > stem_u:object_r:var_log_t:s0 tclass=file > audit(1155148760.199:10): avc: denied { write } for pid=2387 comm="mingetty" > name="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=s > ystem_u:object_r:var_log_t:s0 tclass=file > > logrotate was broken and changing the file context on /var/log/wtmp. You can restore the context with restorecon /var/log/wtmp Then if you update to the latest logrotate the problem should be fixed. > Cheers, > > ?meric > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From paul at city-fan.org Fri Aug 11 07:47:48 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 11 Aug 2006 08:47:48 +0100 Subject: FC2 useradd in chroot on FC5 host with SELinux In-Reply-To: <1155161149.8161.2.camel@metropolis.intra.city-fan.org> References: <1151601933.7470.241.camel@laurel.intra.city-fan.org> <44B66871.3080707@redhat.com> <44B66C6A.6090808@city-fan.org> <44B674C1.80705@redhat.com> <44B67BE0.6010802@city-fan.org> <1155112070.25659.2.camel@metropolis.intra.city-fan.org> <1155126794.1123.177.camel@moss-spartans.epoch.ncsc.mil> <44D9FF3B.6090202@city-fan.org> <44DA0183.2020608@redhat.com> <44DA0577.2020506@city-fan.org> <44DA1B41.70905@city-fan.org> <1155152498.1123.245.camel@moss-spartans.epoch.ncsc.mil> <1155161149.8161.2.camel@metropolis.intra.city-fan.org> Message-ID: <1155282468.15982.12.camel@metropolis.intra.city-fan.org> On Wed, 2006-08-09 at 23:05 +0100, Paul Howarth wrote: > On Wed, 2006-08-09 at 15:41 -0400, Stephen Smalley wrote: > > On Wed, 2006-08-09 at 18:28 +0100, Paul Howarth wrote: > > > Supposing I just remove the pam_selinux from /etc/pam.d/su altogether? > > > Is that likely to break anything? Any other way of persuading an FC2 > > > system that SELinux is disabled? > > > > Removing it should be fine (and has already happened in FC5). I'm not > > clear on the cause though - pam_selinux returns immediately with > > PAM_SUCCESS if is_selinux_enabled() returns <= 0. > > It got further with that line removed, and now hangs when trying to run > rpm as the user "mockbuild" that was added by "useradd". This appears to > be the first chroot command that's not running as root. It's not obvious > to me what it's waiting for. It turns out it must have been waiting for a password, because after killing the process the echo on the terminal was turned off. I now believe I have solved this problem. Many, many thanks to Dan and Stephen for helping. The mock tool does include a dummy libselinux library that returns 0 for all calls to is_selinux_enabled(). This library is LD-PRELOAD-ed for calls to yum to install packages into the chroot. However, it is not LD-PRELOAD-ed for any other operation, such as running "useradd" or "rpmbuild" in the chroot. In FC2, this results in a hangup when the user is prompted for a new context to use if the host system has SELinux enabled. I tried building an FC2 libselinux package with the is_selinux_enabled() hack to install into the chroot so that this wouldn't happen, but this appeared to have no effect. Further investigation revealed that although I had included the hack patch in the libselinux package, and that package was being installed into the chroot, I actually forgotten to *apply* the patch in the hacked libselinux package and it was therefore identical to the original FC2 libselinux package. D'oh! After configuring mock to install the properly-hacked libselinux package into the chroot, it appears to be building packages successfully now. Phew! I'll try it on a few more packages and if all seems well, I'll update the Legacy/Mock wiki page with the new information. Paul. From selinux at gmail.com Fri Aug 11 15:37:35 2006 From: selinux at gmail.com (Tom London) Date: Fri, 11 Aug 2006 08:37:35 -0700 Subject: AVCs from today's updates.... (stroke 2) Message-ID: <4c4ba1530608110837m62dac2beke382a10d8a8800ee@mail.gmail.com> Resending with <100K text to avoid moderator ..... Today's update generated some AVCs (actually lots of them). Here is audit2allow output: allow bootloader_t rpm_t:tcp_socket { read write }; allow bootloader_t rpm_var_lib_t:file { read write }; allow depmod_t rpm_t:tcp_socket { read write }; allow depmod_t rpm_var_lib_t:file { read write }; allow depmod_t var_t:file read; Here are clippings from /var/log/audit/audit.log: type=AVC msg=audit(1155307887.872:40): avc: denied { read write } for pid=4770 comm="depmod" name="[51427]" dev=sockfs ino=51427 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket type=AVC msg=audit(1155307887.872:40): avc: denied { read write } for pid=4770 comm="depmod" name="__db.000" dev=dm-0 ino=2786034 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file type=AVC msg=audit(1155307887.872:40): avc: denied { read } for pid=4770 comm="depmod" name="kernel-2.6.17-1.2548.fc6.i686.rpm" dev=dm-0 ino=2818553 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1155307887.872:40): arch=40000003 syscall=11 success=yes exit=0 a0=8858430 a1=884a5c8 a2=884d8a0 a3=8858760 items=0 ppid=4762 pid=4770 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1155307887.872:40): path="/var/cache/yum/development/packages/kernel-2.6.17-1.2548.fc6.i686.rpm" type=AVC_PATH msg=audit(1155307887.872:40): path="/var/lib/rpm/__db.000" type=AVC_PATH msg=audit(1155307887.872:40): path="socket:[51427]" <<<<< many, many of the above, various socket #s>>>>>> <<<<< many, many of the below, various socket #s>>>>>> type=AVC msg=audit(1155307888.860:41): avc: denied { read write } for pid=4771 comm="mkinitrd" name="[54546]" dev=sockfs ino=54546 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket type=AVC msg=audit(1155307888.860:41): avc: denied { read write } for pid=4771 comm="mkinitrd" name="[51427]" dev=sockfs ino=51427 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket type=AVC msg=audit(1155307888.860:41): avc: denied { read write } for pid=4771 comm="mkinitrd" name="__db.000" dev=dm-0 ino=2786034 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1155307888.860:41): arch=40000003 syscall=11 success=yes exit=0 a0=8857f58 a1=884a5c8 a2=884d8a0 a3=8858470 items=0 ppid=4762 pid=4771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1155307888.860:41): path="/var/lib/rpm/__db.000" type=AVC_PATH msg=audit(1155307888.860:41): path="socket:[51427]" type=AVC_PATH msg=audit(1155307888.860:41): path="socket:[54546]" type=AVC_PATH msg=audit(1155307888.860:41): path="socket:[55152]" type=AVC_PATH msg=audit(1155307888.860:41): path="socket:[48873]" <<<< many, many of the above, various socket #s >>>>> tom -- Tom London From dragoran at feuerpokemon.de Fri Aug 11 15:46:18 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Fri, 11 Aug 2006 17:46:18 +0200 Subject: dbus/wine and selinux problems Message-ID: <44DCA64A.5060809@feuerpokemon.de> Hello I am working on a opengl wrapper that displays some data on hud in games. It uses dbus in a thread to get the data. The wrapper is loaded using LD_PRELOAD. The problem is when a game is started using wine (a windows game) dbus does not work because selinux is blocking it. setenforce 0 fixes it but isn't a solution. so how can I allow wine_exec_t to connect to dbus? From cpebenito at tresys.com Fri Aug 11 18:33:43 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 11 Aug 2006 14:33:43 -0400 Subject: AVCs from today's updates.... (stroke 2) In-Reply-To: <4c4ba1530608110837m62dac2beke382a10d8a8800ee@mail.gmail.com> References: <4c4ba1530608110837m62dac2beke382a10d8a8800ee@mail.gmail.com> Message-ID: <1155321224.8722.69.camel@sgc> On Fri, 2006-08-11 at 08:37 -0700, Tom London wrote: > Resending with <100K text to avoid moderator ..... > > Today's update generated some AVCs (actually lots of them). > > Here is audit2allow output: > > allow bootloader_t rpm_t:tcp_socket { read write }; > allow bootloader_t rpm_var_lib_t:file { read write }; > allow depmod_t rpm_t:tcp_socket { read write }; > allow depmod_t rpm_var_lib_t:file { read write }; > allow depmod_t var_t:file read; Looks like RPM is leaking file descriptors. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From dwalsh at redhat.com Sat Aug 12 11:52:40 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 12 Aug 2006 07:52:40 -0400 Subject: dbus/wine and selinux problems In-Reply-To: <44DCA64A.5060809@feuerpokemon.de> References: <44DCA64A.5060809@feuerpokemon.de> Message-ID: <44DDC108.8040807@redhat.com> dragoran wrote: > Hello > I am working on a opengl wrapper that displays some data on hud in games. > It uses dbus in a thread to get the data. The wrapper is loaded using > LD_PRELOAD. > The problem is when a game is started using wine (a windows game) dbus > does not work because selinux is blocking it. > setenforce 0 fixes it but isn't a solution. > so how can I allow wine_exec_t to connect to dbus? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What AVC messages are you seeing? You might want to chcon -t unconfined_execmem_t wine Since wine, mono, java unconfined_execmem_t are all basically the same policy. From dragoran at feuerpokemon.de Sat Aug 12 12:12:23 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Sat, 12 Aug 2006 14:12:23 +0200 Subject: dbus/wine and selinux problems In-Reply-To: <44DDC108.8040807@redhat.com> References: <44DCA64A.5060809@feuerpokemon.de> <44DDC108.8040807@redhat.com> Message-ID: <44DDC5A7.7080103@feuerpokemon.de> Daniel J Walsh wrote: > dragoran wrote: >> Hello >> I am working on a opengl wrapper that displays some data on hud in >> games. >> It uses dbus in a thread to get the data. The wrapper is loaded using >> LD_PRELOAD. >> The problem is when a game is started using wine (a windows game) >> dbus does not work because selinux is blocking it. >> setenforce 0 fixes it but isn't a solution. >> so how can I allow wine_exec_t to connect to dbus? >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > What AVC messages are you seeing? > none I only get a error from dbus thats saying that a selinux policy prevents the connection. audit.log has nothing (no auditd running) /var/log/messages has nothing to. > You might want to chcon -t unconfined_execmem_t wine > > Since wine, mono, java unconfined_execmem_t are all basically the same > policy. > ok will try this but whats the point in having seperate polices for them if they are the same? > > From dwalsh at redhat.com Sat Aug 12 17:45:32 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 12 Aug 2006 13:45:32 -0400 Subject: dbus/wine and selinux problems In-Reply-To: <44DDC5A7.7080103@feuerpokemon.de> References: <44DCA64A.5060809@feuerpokemon.de> <44DDC108.8040807@redhat.com> <44DDC5A7.7080103@feuerpokemon.de> Message-ID: <44DE13BC.6050000@redhat.com> dragoran wrote: > Daniel J Walsh wrote: >> dragoran wrote: >>> Hello >>> I am working on a opengl wrapper that displays some data on hud in >>> games. >>> It uses dbus in a thread to get the data. The wrapper is loaded >>> using LD_PRELOAD. >>> The problem is when a game is started using wine (a windows game) >>> dbus does not work because selinux is blocking it. >>> setenforce 0 fixes it but isn't a solution. >>> so how can I allow wine_exec_t to connect to dbus? >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> What AVC messages are you seeing? >> > none I only get a error from dbus thats saying that a selinux policy > prevents the connection. > audit.log has nothing (no auditd running) > /var/log/messages has nothing to. >> You might want to chcon -t unconfined_execmem_t wine >> >> Since wine, mono, java unconfined_execmem_t are all basically the >> same policy. >> > ok will try this but whats the point in having seperate polices for > them if they are the same? >> Exactly. We need to consolidate, them until they differentiate. >> > From selinux at gmail.com Sun Aug 13 16:58:38 2006 From: selinux at gmail.com (Tom London) Date: Sun, 13 Aug 2006 09:58:38 -0700 Subject: file_contexts.local install error... Message-ID: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> Running latest rawhide, targeted/enforcing. Today's 'yumex' produced: libsemanage.semanage_install_active: Non-fatal error: Could not copy /etc/selinux/targeted/modules/active/file_contexts.local to /etc/selinux/targeted/contexts/files/file_contexts.local. Is this similar to what happened with 'netfilter_contexts' (i.e., need to run update in permissive mode)? tom -- Tom London From benjy.grogan at gmail.com Mon Aug 14 05:27:16 2006 From: benjy.grogan at gmail.com (Benjy Grogan) Date: Mon, 14 Aug 2006 01:27:16 -0400 Subject: Who Watches Over Coverity? Message-ID: Hello: Is Red Hat worried about Coverity or other such bug/security hole searching private ventures? There are probably 1000s of critical security holes in any given Linux distro and the only problem is that there doesn't exist sophisticated enough tools yet to discover them. Companies like Coverity are attempting to develop them, and for what seems like the greater good of Linux distros. Nevertheless, with Red Hat having invested so much into SELinux is there also considerable thought put into developing a Coverity-like project to get to those lingering security threats first? Benjy From linux_4ever at yahoo.com Mon Aug 14 11:59:31 2006 From: linux_4ever at yahoo.com (Steve G) Date: Mon, 14 Aug 2006 04:59:31 -0700 (PDT) Subject: Who Watches Over Coverity? In-Reply-To: Message-ID: <20060814115931.36338.qmail@web51508.mail.yahoo.com> >Nevertheless, with Red Hat having invested so much into SELinux is there also >considerable thought put into developing a Coverity-like project to get to those >lingering security threats first? I periodically go through open source code with FlexeLint. It finds the same bugs that Coverity does, but also provides many false positives. So, going from the report to fixing bugs is a fair amount of work. I have also experimented with smatch. It seemed to be on the right track, but is a patch to a now ancient compiler. I think if open source wanted a Coverity-like tool, this project should be revived. At the moment, I think the tack taken is to improve gcc's reporting of bugs. Very few programs do: -Wall -W -Wformat-string -Wfloating-point. When looking for bugs, I try to increase the output from gcc since it does a decent job of finding some of the same bugs Coverity does. They just hide as signed-unsigned comparisons. Also note that gcc has be improved by adding a propolice-like extension that many programs are compiled with; relro has been added to most network facing or setuid programs (as well as PIE flags); and Fortify Source has been improved by extending it to many other functions. In my opinion, these enhancements help the overall security of Fedora/RHEL beyond just what SE Linux does. I don't think we should be complacent either, but its not as dire as it was 2 years ago when I was doing many code audits and finding real problems. (I also plan to start a new round of audits in a month or two when some of the LSPP tasks are finally whipped.) Have you tried out smatch? The project seems dead, but probably the best starting point. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From cpebenito at tresys.com Mon Aug 14 13:45:31 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Mon, 14 Aug 2006 09:45:31 -0400 Subject: file_contexts.local install error... In-Reply-To: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> References: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> Message-ID: <1155563131.20430.0.camel@sgc> On Sun, 2006-08-13 at 09:58 -0700, Tom London wrote: > Running latest rawhide, targeted/enforcing. > > Today's 'yumex' produced: > > libsemanage.semanage_install_active: Non-fatal error: Could not copy > /etc/selinux/targeted/modules/active/file_contexts.local to > /etc/selinux/targeted/contexts/files/file_contexts.local. Any denial messages? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From rirving at antient.org Mon Aug 14 13:44:56 2006 From: rirving at antient.org (Richard Irving) Date: Mon, 14 Aug 2006 09:44:56 -0400 Subject: Who Watches Over Coverity? In-Reply-To: References: Message-ID: <44E07E58.9070702@antient.org> Benjy Grogan wrote: > Hello: > > Is Red Hat worried about Coverity or other such bug/security hole > searching private ventures? I doubt it, that which doesn't kill you makes you stronger. > There are probably 1000s of critical > security holes in any given Linux distro and the only problem is that > there doesn't exist sophisticated enough tools yet to discover them. An infinite number of monkeys typing on a typewriter, eventually reproduce the works of Shakespeare... and the Internet provides online distro's with an infinite number of monkeys. But instead of Shakespeare, they find the vulnerabilities. Hence the term "case" hardened. ;-) > Companies like Coverity are attempting to develop them, and for what > seems like the greater good of Linux distros. Oh, the "greater good", I *hate* that expression, it always seems to herald someone taking away something from me, money, guns, civil rights, etc.. Who is John Galt, eh ? :-P > Nevertheless, with Red > Hat having invested so much into SELinux is there also considerable > thought put into developing a Coverity-like project to get to those > lingering security threats first? Actually, the nature of SELinux is to isolate, or "contain" just such unforeseen, but inevitable, vulnerabilities, in the first place. Thus the "raison d'etre" of a "container"/"flask" model. But, I am not speaking for RH... just guessing what their attitude might be. Of course, Carnac the magnificent, I am not. > > Benjy > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Mon Aug 14 13:53:18 2006 From: selinux at gmail.com (Tom London) Date: Mon, 14 Aug 2006 06:53:18 -0700 Subject: file_contexts.local install error... In-Reply-To: <1155563131.20430.0.camel@sgc> References: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> <1155563131.20430.0.camel@sgc> Message-ID: <4c4ba1530608140653k4f673233wdfe0f367cd2f11b@mail.gmail.com> On 8/14/06, Christopher J. PeBenito wrote: > On Sun, 2006-08-13 at 09:58 -0700, Tom London wrote: > > Running latest rawhide, targeted/enforcing. > > > > Today's 'yumex' produced: > > > > libsemanage.semanage_install_active: Non-fatal error: Could not copy > > /etc/selinux/targeted/modules/active/file_contexts.local to > > /etc/selinux/targeted/contexts/files/file_contexts.local. > > Any denial messages? > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 None I can find. tom -- Tom London From selinux at gmail.com Mon Aug 14 14:41:48 2006 From: selinux at gmail.com (Tom London) Date: Mon, 14 Aug 2006 07:41:48 -0700 Subject: file_contexts.local install error... In-Reply-To: <4c4ba1530608140653k4f673233wdfe0f367cd2f11b@mail.gmail.com> References: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> <1155563131.20430.0.camel@sgc> <4c4ba1530608140653k4f673233wdfe0f367cd2f11b@mail.gmail.com> Message-ID: <4c4ba1530608140741m4a544a2fn86139618e2f1aac4@mail.gmail.com> On 8/14/06, Tom London wrote: > On 8/14/06, Christopher J. PeBenito wrote: > > On Sun, 2006-08-13 at 09:58 -0700, Tom London wrote: > > > Running latest rawhide, targeted/enforcing. > > > > > > Today's 'yumex' produced: > > > > > > libsemanage.semanage_install_active: Non-fatal error: Could not copy > > > /etc/selinux/targeted/modules/active/file_contexts.local to > > > /etc/selinux/targeted/contexts/files/file_contexts.local. > > > > Any denial messages? > > > > -- > > Chris PeBenito > > Tresys Technology, LLC > > (410) 290-1411 x150 > > None I can find. > Previous 'trick' of running: setenforce 0 semodule -b /usr/share/selinux/targeted/base.pp setenforce 1 didn't work: [root at localhost ~]# setenforce 0 [root at localhost ~]# semodule -b /usr/share/selinux/targeted/base.pp libsemanage.semanage_install_active: Non-fatal error: Could not copy /etc/selinux/targeted/modules/active/file_contexts.local to /etc/selinux/targeted/contexts/files/file_contexts.local. [root at localhost ~]# No AVC's..... Tom London From sds at tycho.nsa.gov Mon Aug 14 14:50:52 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 14 Aug 2006 10:50:52 -0400 Subject: file_contexts.local install error... In-Reply-To: <4c4ba1530608140741m4a544a2fn86139618e2f1aac4@mail.gmail.com> References: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> <1155563131.20430.0.camel@sgc> <4c4ba1530608140653k4f673233wdfe0f367cd2f11b@mail.gmail.com> <4c4ba1530608140741m4a544a2fn86139618e2f1aac4@mail.gmail.com> Message-ID: <1155567052.28766.73.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-08-14 at 07:41 -0700, Tom London wrote: > On 8/14/06, Tom London wrote: > > On 8/14/06, Christopher J. PeBenito wrote: > > > On Sun, 2006-08-13 at 09:58 -0700, Tom London wrote: > > > > Running latest rawhide, targeted/enforcing. > > > > > > > > Today's 'yumex' produced: > > > > > > > > libsemanage.semanage_install_active: Non-fatal error: Could not copy > > > > /etc/selinux/targeted/modules/active/file_contexts.local to > > > > /etc/selinux/targeted/contexts/files/file_contexts.local. > > > > > > Any denial messages? > > > > > > -- > > > Chris PeBenito > > > Tresys Technology, LLC > > > (410) 290-1411 x150 > > > > None I can find. > > > Previous 'trick' of running: > > setenforce 0 > semodule -b /usr/share/selinux/targeted/base.pp > setenforce 1 > > didn't work: > [root at localhost ~]# setenforce 0 > [root at localhost ~]# semodule -b /usr/share/selinux/targeted/base.pp > libsemanage.semanage_install_active: Non-fatal error: Could not copy > /etc/selinux/targeted/modules/active/file_contexts.local to > /etc/selinux/targeted/contexts/files/file_contexts.local. > [root at localhost ~]# > > No AVC's..... Are you just missing a file_contexts.local file altogether in /etc/selinux/targeted/modules/active? -- Stephen Smalley National Security Agency From selinux at gmail.com Mon Aug 14 14:51:46 2006 From: selinux at gmail.com (Tom London) Date: Mon, 14 Aug 2006 07:51:46 -0700 Subject: file_contexts.local install error... In-Reply-To: <1155567052.28766.73.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> <1155563131.20430.0.camel@sgc> <4c4ba1530608140653k4f673233wdfe0f367cd2f11b@mail.gmail.com> <4c4ba1530608140741m4a544a2fn86139618e2f1aac4@mail.gmail.com> <1155567052.28766.73.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba1530608140751r561a065k57c21e55508190ad@mail.gmail.com> > > Are you just missing a file_contexts.local file altogether > in /etc/selinux/targeted/modules/active? > > -- > Stephen Smalley > National Security Agency > > Sigh, yes. tom -- Tom London From sds at tycho.nsa.gov Mon Aug 14 14:58:19 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 14 Aug 2006 10:58:19 -0400 Subject: file_contexts.local install error... In-Reply-To: <4c4ba1530608140751r561a065k57c21e55508190ad@mail.gmail.com> References: <4c4ba1530608130958i8cf1bdagb1ee18553b462750@mail.gmail.com> <1155563131.20430.0.camel@sgc> <4c4ba1530608140653k4f673233wdfe0f367cd2f11b@mail.gmail.com> <4c4ba1530608140741m4a544a2fn86139618e2f1aac4@mail.gmail.com> <1155567052.28766.73.camel@moss-spartans.epoch.ncsc.mil> <4c4ba1530608140751r561a065k57c21e55508190ad@mail.gmail.com> Message-ID: <1155567499.28766.75.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2006-08-14 at 07:51 -0700, Tom London wrote: > > > > Are you just missing a file_contexts.local file altogether > > in /etc/selinux/targeted/modules/active? > > > > -- > > Stephen Smalley > > National Security Agency > > > > > Sigh, yes. No sigh required - that's a valid state, and libsemanage shouldn't complain about it. -- Stephen Smalley National Security Agency From paul at city-fan.org Mon Aug 14 17:23:37 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 14 Aug 2006 18:23:37 +0100 Subject: postfix, procmail and SELinux - No Go In-Reply-To: <1153505960.3874.52.camel@localhost.localdomain> References: <1151530682.3438.108.camel@localhost.localdomain> <1151532794.7470.101.camel@laurel.intra.city-fan.org> <1151550925.6200.48.camel@localhost.localdomain> <1151566188.7470.111.camel@laurel.intra.city-fan.org> <1151587633.6200.56.camel@localhost.localdomain> <1151624293.6466.10.camel@localhost.localdomain> <44A524CE.1070205@city-fan.org> <44AA9CF1.6000601@city-fan.org> <1152125919.4843.141.camel@localhost.localdomain> <44B7D0DA.9090207@city-fan.org> <1153144713.4897.18.camel@localhost.localdomain> <44BCDE1C.8070409@city-fan.org> <1153234408.3796.12.camel@localhost.localdomain> <44BCFB1A.8040909@city-fan.org> <1153269476.6132.15.camel@localhost.localdomain> <44BE120E.3050100@city-fan.org> <1153501044.3874.15.camel@localhost.localdomain> <44C1098F.60105@city-fan.org> <1153502577.3874.25.camel@localhost.localdomain> <44C10E5C.1050902@city-fan.org> <1153505960.3874.52.camel@localhost.localdomain> Message-ID: <44E0B199.5030003@city-fan.org> Marc Schwartz (via MN) wrote: > On Fri, 2006-07-21 at 18:26 +0100, Paul Howarth wrote: >> Marc Schwartz (via MN) wrote: >>> On Fri, 2006-07-21 at 18:06 +0100, Paul Howarth wrote: >>>> Marc Schwartz (via MN) wrote: >>>>> Well, after a couple of days and several re-boots, the following is the >>>>> only avc so far: >>>>> >>>>> type=AVC msg=audit(1153435170.422:48): avc: denied { search } for pid=15586 comm="clamscan" name="marcs" dev=dm-0 ino=425153 scontext=system_u:system_r:clamscan_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir >>>>> type=SYSCALL msg=audit(1153435170.422:48): arch=40000003 syscall=10 success=no exit=-13 a0=9730020 a1=1 a2=448ce93c a3=972f7e0 items=1 pid=15586 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 >>>>> type=CWD msg=audit(1153435170.422:48): cwd="/home/marcs" >>>>> type=PATH msg=audit(1153435170.422:48): item=0 name="tnef" parent=58512 dev=fd:02 mode=0100600 ouid=500 ogid=500 rdev=00:00 obj=system_u:object_r:clamscan_tmp_t:s0 >>>>> >>>>> I am running in Enforcing mode. >>>> It appears to be trying to look in your home directory whilst scanning a >>>> temporary file called "tnef". >>> 'tnef' files (Transport Neutral Encapsulation Format) are a MIME type >>> coming from Winders Outlook users. They tend to show up in Evolution as >>> 'winmail.dat' attachments, which then require a tnef viewer such as tnef >>> or KTnef or similar to open and view: >>> >>> http://sourceforge.net/projects/tnef >>> >>> I do occasionally get this from co-workers and others who are on >>> Windows. >>> >>>> The program appears to be running in your home directory, probably since >>>> it's running from your .procmailrc and clamassassin. I wonder if this >>>> can be dontaudited? Any idea whether the scan of this file worked or not? >>> I can confirm that I have received at least one 'tnef' type attachment >>> in the past 48 hours, which came through to Evo without problem. These >>> would not normally be picked up as a virus/worm, etc. via scanners. >> I'd expect you to get one of these AVCs for each scanned attachment; >> have you only seen the one instance? > > There has only been one in the past day or two that I can recall. > >> Could you try getting it to scan something that should be detected as >> "bad" and make sure it works? > > An incoming external e-mail will be hard. Between the virus filters now > on my personal ISP and those that my company has installed on the > corporate mail server, it is virtually impossible to get one to get in > the pipeline on my system to be scanned by clamav. > > Oh wait a minute, presuming that this works properly, mail path wise, I > can use mutt to attach an EICAR signature file and then send that e-mail > to my local user account (ie. marcs at localhost) via the CLI. > > OK. That appears to work. I do get the e-mails, with the subject > header re-write "[***** VIRUS *****]" via clamassassin. So if the mail > path of a locally sent e-mail (versus an incoming POP3 msg) is OK, we > are good to go. > > OK on the avc's also. The only avc still output is the one that I sent > earlier. Sorry about the delay. Assuming you're getting no further AVCs, we should now look at cleaning up the custom policy changes and submitting them to Dan. Is that OK? Paul. From mschwartz at mn.rr.com Mon Aug 14 19:53:29 2006 From: mschwartz at mn.rr.com (Marc Schwartz (via MN)) Date: Mon, 14 Aug 2006 14:53:29 -0500 Subject: postfix, procmail and SELinux - No Go In-Reply-To: <44E0B199.5030003@city-fan.org> References: <1151530682.3438.108.camel@localhost.localdomain> <1151532794.7470.101.camel@laurel.intra.city-fan.org> <1151550925.6200.48.camel@localhost.localdomain> <1151566188.7470.111.camel@laurel.intra.city-fan.org> <1151587633.6200.56.camel@localhost.localdomain> <1151624293.6466.10.camel@localhost.localdomain> <44A524CE.1070205@city-fan.org> <44AA9CF1.6000601@city-fan.org> <1152125919.4843.141.camel@localhost.localdomain> <44B7D0DA.9090207@city-fan.org> <1153144713.4897.18.camel@localhost.localdomain> <44BCDE1C.8070409@city-fan.org> <1153234408.3796.12.camel@localhost.localdomain> <44BCFB1A.8040909@city-fan.org> <1153269476.6132.15.camel@localhost.localdomain> <44BE120E.3050100@city-fan.org> <1153501044.3874.15.camel@localhost.localdomain> <44C1098F.60105@city-fan.org> <1153502577.3874.25.camel@localhost.localdomain> <44C10E5C.1050902@city-fan.org> <1153505960.3874.52.camel@localhost.localdomain> <44E0B199.5030003@city-fan.org> Message-ID: <1155585209.4093.47.camel@localhost.localdomain> On Mon, 2006-08-14 at 18:23 +0100, Paul Howarth wrote: > Sorry about the delay. Assuming you're getting no further AVCs, we > should now look at cleaning up the custom policy changes and submitting > them to Dan. Is that OK? > > Paul. Paul, No problem on timing. I appreciate all of the time that you have spent with this to date. At the present time, there are still no further avc's related to this discussion. For the sake of re-verifying current status: # /usr/sbin/semodule -l amavis 1.0.5 clamav 1.0.4 dcc 1.0.1 myclamav 0.1.5 mydcc 0.1.9 mypostfix 0.1.1 mypyzor 0.2.3 myspamassassin 0.1.5 procmail 0.5.4 pyzor 1.0.4 razor 1.0.1 and # rpm -qa | grep selinux libselinux-1.30.3-4.fc5 libselinux-python-1.30.3-4.fc5 selinux-policy-targeted-2.3.3-8.fc5 libselinux-devel-1.30.3-4.fc5 selinux-policy-2.3.3-8.fc5 Best regards, Marc From borzoi at caltanet.it Tue Aug 15 16:28:13 2006 From: borzoi at caltanet.it (Paolo D.) Date: Tue, 15 Aug 2006 18:28:13 +0200 Subject: A question about root user and SELinux In-Reply-To: <20060814160009.B8C757321B@hormel.redhat.com> Message-ID: <001301c6c087$d21ef540$d5bf6850@STEFANENKO> Hello everybody, perhaps a newbie question; should it be the case, please beg your pardon. Let's imagine a user acquire root rights. Especially on Fedora Core, which modify su command to automatically map it to sysadm_r role, couldn't he/she simply disable SELinux, delete logs, and so on? Hope to hear from you soon, Paolo De Nictolis, Eng. From sds at tycho.nsa.gov Tue Aug 15 17:58:12 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 15 Aug 2006 13:58:12 -0400 Subject: A question about root user and SELinux In-Reply-To: <001301c6c087$d21ef540$d5bf6850@STEFANENKO> References: <001301c6c087$d21ef540$d5bf6850@STEFANENKO> Message-ID: <1155664692.1780.64.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-08-15 at 18:28 +0200, Paolo D. wrote: > Hello everybody, > perhaps a newbie question; should it be the case, please beg your pardon. > Let's imagine a user acquire root rights. Especially on Fedora Core, which > modify su command to automatically map it to sysadm_r role, couldn't he/she > simply disable SELinux, delete logs, and so on? What does "acquire root rights" mean? Logged in as the root user, or exploited a suid root program or uid 0 process to gain uid 0? Two very different things as far as SELinux is concerned. A few observations: 1) Your questions are presumably oriented toward the strict policy, not the default targeted policy since you are talking about sysadm_r. 2) pam_rootok is instrumented for SELinux, so uid 0 process cannot su to an arbitrary user without knowing their password unless that process is also in an authorized domain. 3) In FC5, su no longer switches contexts; separate newrole is once again required. -- Stephen Smalley National Security Agency From emeric.maschino at jouy.inra.fr Wed Aug 16 09:33:14 2006 From: emeric.maschino at jouy.inra.fr (=?ISO-8859-1?Q?=C9meric?= Maschino) Date: Wed, 16 Aug 2006 11:33:14 +0200 Subject: {a|min}getty/wtmp AVCs In-Reply-To: <44DB3D2A.5030806@redhat.com> References: <1155150721.44da338142774@www.jouy.inra.fr> <44DB3D2A.5030806@redhat.com> Message-ID: <1155720794.31252.1.camel@giulietta.jouy.inra.fr> > > I'm getting the following AVCs on my Itanium system > > (selinux-policy-targeted-2.3.6-1). Are they also noticeable on other > > architectures? > > > > audit(1155148758.991:4): avc: denied { write } for pid=2382 comm="mingetty" n > > ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy > > stem_u:object_r:var_log_t:s0 tclass=file > logrotate was broken and changing the file context on /var/log/wtmp. > You can restore the context with restorecon /var/log/wtmp > Then if you update to the latest logrotate the problem should be fixed. This worked. Thanks very mucuh. ?meric From tibbs at math.uh.edu Wed Aug 16 14:38:10 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 16 Aug 2006 09:38:10 -0500 Subject: A couple of mount AVCs Message-ID: I'm experimenting with turning on Selinux for my FC5 desktops. I took a machine that was kickstated with "selinux --disabled", fully updated, edited /etc/sysconfig/selinux to change "disabled" to "enforcing", rebooted and waited for the relabel. Upon boot I get this twice: audit(1155677507.814:309): avc: denied { mounton } for pid=1566 comm="mount" name="mail" dev=dm-4 ino=393219 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir /var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes that mount to fail. (Yes, IMAP will be my savior, but some people here still use /bin/mail. Really.) What's odd is that I can log in as root and type "mount /var/spool/mail" and it mounts fine. We also have NFS-mounted user home directories via autofs; the map is in LDAP and nscd is running. Every attempt to access a user home directory results in: audit(1155738357.735:345): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file audit(1155738357.735:346): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts and the mount actually succeeds. On a whim I touched /.autorelabel and rebooted again; the AVCs are unchanged. Again, fully updated FC5: selinux-policy-targeted-2.3.3-8.fc5.noarch libselinux-1.30.3-4.fc5.i386 selinux-policy-2.3.3-8.fc5.noarch kernel-2.6.17-1.2174_FC5.i586 - J< From paul at city-fan.org Wed Aug 16 14:53:32 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 16 Aug 2006 15:53:32 +0100 Subject: A couple of mount AVCs In-Reply-To: References: Message-ID: <44E3316C.8000601@city-fan.org> Jason L Tibbitts III wrote: > I'm experimenting with turning on Selinux for my FC5 desktops. I took > a machine that was kickstated with "selinux --disabled", fully > updated, edited /etc/sysconfig/selinux to change "disabled" to > "enforcing", rebooted and waited for the relabel. > > Upon boot I get this twice: > > audit(1155677507.814:309): avc: denied { mounton } for pid=1566 comm="mount" name="mail" dev=dm-4 ino=393219 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir > > /var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes > that mount to fail. (Yes, IMAP will be my savior, but some people > here still use /bin/mail. Really.) What's odd is that I can log in > as root and type "mount /var/spool/mail" and it mounts fine. Unmount /var/spool/mail Try: # service netfs start This should try and fail to do the mount, just as it does at boot time. Now try: # chcon -t mnt_t /var/spool/mail # service netfs start This time it should work. > We also have NFS-mounted user home directories via autofs; the map is > in LDAP and nscd is running. Every attempt to access a user home > directory results in: > > audit(1155738357.735:345): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file > audit(1155738357.735:346): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file > SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts > > and the mount actually succeeds. What's the output of: # getsebool use_nfs_home_dirs It's probably set or you'd be having lots of other failures. It may be something that needs dontaudit-ing since it's actually working OK. Paul. From ccrayne at crayne.org Thu Aug 17 04:38:10 2006 From: ccrayne at crayne.org (Charles A. Crayne) Date: Wed, 16 Aug 2006 21:38:10 -0700 Subject: Procmail, Spamassassin, and /etc/shadow Message-ID: <20060816213810.3e5e5315@heimdall.crayne.org> With a fully updated FC5 targeted policy, in permissive mode, while sorting incoming mail, procmail invokes spamassassin, which wants read and getattr permission for file /etc/shadow. I used audit2allow to create an allow rule for these cases, but the resulting local.pp module will not load, because it triggers an assert rule. What is the recommended resolution to this issue? -- Chuck From sds at tycho.nsa.gov Thu Aug 17 11:47:17 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 17 Aug 2006 07:47:17 -0400 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: <20060816213810.3e5e5315@heimdall.crayne.org> References: <20060816213810.3e5e5315@heimdall.crayne.org> Message-ID: <1155815237.21070.1.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-08-16 at 21:38 -0700, Charles A. Crayne wrote: > With a fully updated FC5 targeted policy, in permissive mode, while sorting > incoming mail, procmail invokes spamassassin, which wants read and getattr > permission for file /etc/shadow. I used audit2allow to create an allow > rule for these cases, but the resulting local.pp module will not load, > because it triggers an assert rule. > > What is the recommended resolution to this issue? Odds are good that it doesn't truly need those permissions, so use a dontaudit rule instead of an allow rule, and see if it works then in enforcing mode. The dontaudit rule will just suppress the audit message without allowing it to happen. -- Stephen Smalley National Security Agency From westfallsteve at qwest.net Thu Aug 17 15:44:47 2006 From: westfallsteve at qwest.net (steve westfall) Date: Thu, 17 Aug 2006 08:44:47 -0700 Subject: wireles Message-ID: <44E48EEF.2030506@qwest.net> All... I have just purchased a new note book to upgrade my antique. It has a wireless mini PCI card (I believe it is an Intel card). I have the regular Ethernet up and running, however, the wireless is not. Every time I try to set it up (via network add under he wireless section) it comes back and tells me that the card was not found and, hence, could not be set up. Any ideas? From lamont at gurulabs.com Thu Aug 17 16:39:58 2006 From: lamont at gurulabs.com (Lamont R. Peterson) Date: Thu, 17 Aug 2006 10:39:58 -0600 Subject: wireles In-Reply-To: <44E48EEF.2030506@qwest.net> References: <44E48EEF.2030506@qwest.net> Message-ID: <200608171039.59069.lamont@gurulabs.com> On Thursday 17 August 2006 09:44am, steve westfall wrote: > All... > > I have just purchased a new note book to upgrade my antique. > It has a wireless mini PCI card (I believe it is an Intel card). I have the > regular Ethernet up and running, however, the wireless is not. Every time > I try to set it up (via network add under he wireless section) it comes > back and > tells me that the card was not found and, hence, could not be set up. This is the wrong list. Try asking on the Fedora Users list. To help you ask your question better, try running "lspci" and "lsmod" (perhaps include their output in your email to the Fedora Users list?) and that should help you identify which card you really have. -- Lamont R. Peterson Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] NOTE: All messages from this email address should be digitally signed with my 0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as well as other keyservers that sync with MIT's. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From paul at city-fan.org Thu Aug 17 06:57:17 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 17 Aug 2006 07:57:17 +0100 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: <20060816213810.3e5e5315@heimdall.crayne.org> References: <20060816213810.3e5e5315@heimdall.crayne.org> Message-ID: <1155797847.21812.0.camel@metropolis.intra.city-fan.org> On Wed, 2006-08-16 at 21:38 -0700, Charles A. Crayne wrote: > With a fully updated FC5 targeted policy, in permissive mode, while sorting > incoming mail, procmail invokes spamassassin, which wants read and getattr > permission for file /etc/shadow. I used audit2allow to create an allow > rule for these cases, but the resulting local.pp module will not load, > because it triggers an assert rule. Can you post the AVC messages you get when calling spamassassin from procmail? How do you call spamassassin from procmail? Can you post the procmail recipe you use? Paul. From ccrayne at crayne.org Fri Aug 18 02:53:06 2006 From: ccrayne at crayne.org (Charles A. Crayne) Date: Thu, 17 Aug 2006 19:53:06 -0700 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: <1155797847.21812.0.camel@metropolis.intra.city-fan.org> References: <20060816213810.3e5e5315@heimdall.crayne.org> <1155797847.21812.0.camel@metropolis.intra.city-fan.org> Message-ID: <20060817195306.50b910b1@heimdall.crayne.org> On Thu, 17 Aug 2006 07:57:17 +0100 Paul Howarth wrote: :Can you post the AVC messages you get when calling spamassassin from :procmail? Aug 17 15:19:02 kernel: audit(1155853142.532:103485): avc: denied { read } for pid=20360 comm=spamassassin name="shadow" dev=hda3 ino=230475 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file Aug 17 15:19:02 kernel: audit(1155853142.532:103486): avc: denied { getattr } for pid=20360 comm=spamassassin name="shadow" dev=hda3 ino=230475 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:shadow_t tclass=file :How do you call spamassassin from procmail? Can you post the procmail :recipe you use? #Run spamassassin on non-subscription messages :0fw | /usr/bin/spamassassin -- Chuck From ccrayne at crayne.org Fri Aug 18 04:22:34 2006 From: ccrayne at crayne.org (Charles A. Crayne) Date: Thu, 17 Aug 2006 21:22:34 -0700 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: <1155797847.21812.0.camel@metropolis.intra.city-fan.org> References: <20060816213810.3e5e5315@heimdall.crayne.org> <1155797847.21812.0.camel@metropolis.intra.city-fan.org> Message-ID: <20060817212234.6a5049a5@heimdall.crayne.org> On Thu, 17 Aug 2006 07:57:17 +0100 Paul Howarth wrote: :How do you call spamassassin from procmail? In addition to the direct call cited in my previous reply, I have now unearthed an indirect call via a perl script, as follows: . . . open( SPAM, '| spamassassin -e > /dev/null'); print SPAM "$message"; close( SPAM ); . . . -- Chuck From borzoi at caltanet.it Fri Aug 18 08:33:51 2006 From: borzoi at caltanet.it (Paolo D.) Date: Fri, 18 Aug 2006 10:33:51 +0200 Subject: A request: using seaudit-report to automatically generate reports and posting per e-mail and on Intranet site Message-ID: <002e01c6c2a1$09c2ea90$392a2a0a@denictolisp> Hello everybody, on RHEL-SELG, I read piping through STDIN/STDOUT can be used, with seaudit-report, to create an automatic reports generator, and to send them through e-mail and post on an Intranet page. This is a solution I definitely need; has anyone implemented? Hope to hear from you soon, Paolo De Nictolis -------------- next part -------------- An HTML attachment was scrubbed... URL: From MSchwartz at mn.rr.com Fri Aug 18 12:38:45 2006 From: MSchwartz at mn.rr.com (Marc Schwartz) Date: Fri, 18 Aug 2006 07:38:45 -0500 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: <20060817212234.6a5049a5@heimdall.crayne.org> References: <20060816213810.3e5e5315@heimdall.crayne.org> <1155797847.21812.0.camel@metropolis.intra.city-fan.org> <20060817212234.6a5049a5@heimdall.crayne.org> Message-ID: Charles A. Crayne wrote: > On Thu, 17 Aug 2006 07:57:17 +0100 > Paul Howarth wrote: > > :How do you call spamassassin from procmail? > > In addition to the direct call cited in my previous reply, I have now > unearthed an indirect call via a perl script, as follows: > > . . . > open( SPAM, '| spamassassin -e > /dev/null'); > print SPAM "$message"; > close( SPAM ); > . . . > > -- Chuck > Chuck, What happens if you change the call in .procmailrc to: :0 fw | /usr/bin/spamc so that the spamd daemon is used rather than running the spamassassin executable each time? Marc Schwartz From paul at city-fan.org Fri Aug 18 13:16:36 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 18 Aug 2006 14:16:36 +0100 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: References: <20060816213810.3e5e5315@heimdall.crayne.org> <1155797847.21812.0.camel@metropolis.intra.city-fan.org> <20060817212234.6a5049a5@heimdall.crayne.org> Message-ID: <44E5BDB4.60406@city-fan.org> Marc Schwartz wrote: > Charles A. Crayne wrote: >> On Thu, 17 Aug 2006 07:57:17 +0100 >> Paul Howarth wrote: >> >> :How do you call spamassassin from procmail? >> >> In addition to the direct call cited in my previous reply, I have now >> unearthed an indirect call via a perl script, as follows: >> >> . . . >> open( SPAM, '| spamassassin -e > /dev/null'); >> print SPAM "$message"; >> close( SPAM ); >> . . . >> >> -- Chuck >> > > > Chuck, > > What happens if you change the call in .procmailrc to: > > :0 fw > | /usr/bin/spamc > > > so that the spamd daemon is used rather than running the spamassassin > executable each time? This is much more likely to work properly, since procmail will transition properly to the spamaassassin client domain this way. And of course it'll be faster. Paul. From meyering at redhat.com Fri Aug 18 13:26:01 2006 From: meyering at redhat.com (Jim Meyering) Date: Fri, 18 Aug 2006 15:26:01 +0200 Subject: Does SELinux-enabled mkdir *really* need --context=CTX (aka -Z CTX)? Message-ID: <87ejve5g5y.fsf@rho.meyering.net> I've just posted the above question to fedora-list: https://www.redhat.com/archives/fedora-list/2006-August/msg02264.html Feedback welcome. From jrmneves at hotmail.com Fri Aug 18 23:26:43 2006 From: jrmneves at hotmail.com (Ricardo Neves) Date: Fri, 18 Aug 2006 19:26:43 -0400 Subject: RHEL4 Strict Policy Question Message-ID: I'm new to SELinux and I have a basic doubt that I can't find any conclusive answer. I'm building a prototype using Red Hat Enterprise Linux 4 and I want to consider using a strict policy for this project. The base strict policy does not come with Red Hat, so I've been searching and reading conflicting information about it which would be (1)downloading from Red Hat (I can't find it anywhere) or (2) getting it from Fedora Core 4 and making some tweaks in the policy. Can anybody tell me if any of these options apply? If I need to download from Red Hat, is it charged and, if I should get from FC4, is it usable at all when applied to RHEL4? Thanks in advance, I apologize if this has been asked before in this list... From i.pilcher at comcast.net Sat Aug 19 14:18:18 2006 From: i.pilcher at comcast.net (Ian Pilcher) Date: Sat, 19 Aug 2006 09:18:18 -0500 Subject: Can't set context of VFAT filesystem Message-ID: I am unable to use the context, fscontext, or defcontext options when mounting a VFAT filesystem: type=AVC msg=audit(1155867673.190:23): avc: denied { relabelto } for pid=2641 comm="mount" scontext=root:system_r:unconfined_mount_t:s0-s0:c0.c255 tcontext=system_u:object_r:bootloader_t:s0 tclass=filesystem Anyone know if this is a bug or expected behavior? Thanks! -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From borzoi at caltanet.it Sat Aug 19 18:06:13 2006 From: borzoi at caltanet.it (Paolo D.) Date: Sat, 19 Aug 2006 20:06:13 +0200 Subject: R: RHEL4 Strict Policy Question In-Reply-To: <20060819160008.CB01473278@hormel.redhat.com> Message-ID: <006601c6c3ba$2ecc6b80$63bf6850@STEFANENKO> ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Aug 2006 19:26:43 -0400 From: "Ricardo Neves" Subject: RHEL4 Strict Policy Question To: Message-ID: Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original I'm new to SELinux and I have a basic doubt that I can't find any conclusive answer. I'm building a prototype using Red Hat Enterprise Linux 4 and I want to consider using a strict policy for this project. The base strict policy does not come with Red Hat, so I've been searching and reading conflicting information about it which would be (1)downloading from Red Hat (I can't find it anywhere) or (2) getting it from Fedora Core 4 and making some tweaks in the policy. Can anybody tell me if any of these options apply? If I need to download from Red Hat, is it charged and, if I should get from FC4, is it usable at all when applied to RHEL4? Thanks in advance, I apologize if this has been asked before in this list... ------------------------------ Hello Ricardo, Did you take in consideration using Tresys' Reference Policy (http://oss.tresys.com/projects/refpolicy)? As you can note if you click "Download Release" (http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease) and look at the end of page, there are RPM for RHEL 4 also. Paolo De Nictolis From jrmneves at hotmail.com Sat Aug 19 18:17:20 2006 From: jrmneves at hotmail.com (Ricardo Neves) Date: Sat, 19 Aug 2006 14:17:20 -0400 Subject: RHEL4 Strict Policy Question References: <006601c6c3ba$2ecc6b80$63bf6850@STEFANENKO> Message-ID: > Hello Ricardo, > Did you take in consideration using Tresys' Reference Policy > (http://oss.tresys.com/projects/refpolicy)? > As you can note if you click "Download Release" > (http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease) and look > at > the end of page, there are RPM for RHEL 4 also. Paolo, Thank you so much for the information! In their website they say it is an alternative between the strict and the targetted and it seems a nice project. I will definitely give it a try... Ricardo From linux_4ever at yahoo.com Sat Aug 19 19:16:10 2006 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 19 Aug 2006 12:16:10 -0700 (PDT) Subject: Can't set context of VFAT filesystem In-Reply-To: Message-ID: <20060819191610.40167.qmail@web51502.mail.yahoo.com> >Anyone know if this is a bug or expected behavior? I don't think MS file formats know about extended attributes. You might be able to play with mount options to get a context for the whole disk, but I don't think it can be set file by file. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From i.pilcher at comcast.net Sun Aug 20 02:14:00 2006 From: i.pilcher at comcast.net (Ian Pilcher) Date: Sat, 19 Aug 2006 21:14:00 -0500 Subject: Can't set context of VFAT filesystem In-Reply-To: <20060819191610.40167.qmail@web51502.mail.yahoo.com> References: <20060819191610.40167.qmail@web51502.mail.yahoo.com> Message-ID: Steve G wrote: > I don't think MS file formats know about extended attributes. You might be able > to play with mount options to get a context for the whole disk, but I don't think > it can be set file by file. Read my original post again; that's what I'm trying to do. -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From ccrayne at crayne.org Mon Aug 21 04:16:26 2006 From: ccrayne at crayne.org (Charles A. Crayne) Date: Sun, 20 Aug 2006 21:16:26 -0700 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: References: <20060816213810.3e5e5315@heimdall.crayne.org> <1155797847.21812.0.camel@metropolis.intra.city-fan.org> <20060817212234.6a5049a5@heimdall.crayne.org> Message-ID: <20060820211626.78abf1ae@heimdall.crayne.org> On Fri, 18 Aug 2006 07:38:45 -0500 Marc Schwartz wrote: :What happens if you change the call in .procmailrc to: : ::0 fw :| /usr/bin/spamc : : :so that the spamd daemon is used rather than running the spamassassin :executable each time? Most of the denied messages changed from spamassassin to spamd.:-) However, the ones involving shadow_t still said spamassassin, and now that I have changed the Perl call, as well, the shadow_t issue seems to have gone away. Thanks to both you and Paul for the suggestion. -- Chuck From paul at city-fan.org Mon Aug 21 07:57:05 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 21 Aug 2006 08:57:05 +0100 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: <20060820211626.78abf1ae@heimdall.crayne.org> References: <20060816213810.3e5e5315@heimdall.crayne.org> <1155797847.21812.0.camel@metropolis.intra.city-fan.org> <20060817212234.6a5049a5@heimdall.crayne.org> <20060820211626.78abf1ae@heimdall.crayne.org> Message-ID: <1156147025.19369.9.camel@metropolis.intra.city-fan.org> On Sun, 2006-08-20 at 21:16 -0700, Charles A. Crayne wrote: > On Fri, 18 Aug 2006 07:38:45 -0500 > Marc Schwartz wrote: > > :What happens if you change the call in .procmailrc to: > : > ::0 fw > :| /usr/bin/spamc > : > : > :so that the spamd daemon is used rather than running the spamassassin > :executable each time? > > Most of the denied messages changed from spamassassin to spamd.:-) > However, the ones involving shadow_t still said spamassassin, and now that > I have changed the Perl call, as well, the shadow_t issue seems to have > gone away. > > Thanks to both you and Paul for the suggestion. Which selinux-policy version do you have? $ rpm -q selinux-policy Paul. From cpebenito at tresys.com Mon Aug 21 13:10:03 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Mon, 21 Aug 2006 09:10:03 -0400 Subject: Can't set context of VFAT filesystem In-Reply-To: References: Message-ID: <1156165803.14126.50.camel@sgc> On Sat, 2006-08-19 at 09:18 -0500, Ian Pilcher wrote: > I am unable to use the context, fscontext, or defcontext options when > mounting a VFAT filesystem: > > type=AVC msg=audit(1155867673.190:23): avc: denied { relabelto } for > pid=2641 comm="mount" > scontext=root:system_r:unconfined_mount_t:s0-s0:c0.c255 > tcontext=system_u:object_r:bootloader_t:s0 tclass=filesystem > > Anyone know if this is a bug or expected behavior? You can't relabel it to bootloader_t, thats a domain type, not a file type. My guess is that you want boot_t. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From i.pilcher at comcast.net Mon Aug 21 16:51:46 2006 From: i.pilcher at comcast.net (Ian Pilcher) Date: Mon, 21 Aug 2006 11:51:46 -0500 Subject: Can't set context of VFAT filesystem In-Reply-To: <1156165803.14126.50.camel@sgc> References: <1156165803.14126.50.camel@sgc> Message-ID: Christopher J. PeBenito wrote: > You can't relabel it to bootloader_t, thats a domain type, not a file > type. My guess is that you want boot_t. Your guess is absolutely correct. Thanks! Note that while 'context=system_u:object_r:boot_t' works from a root shell, I had to use 'context=system_u:object_r:boot_t:s0' to get it to work at boot time. Bug? -- ======================================================================== Ian Pilcher i.pilcher at comcast.net ======================================================================== From ccrayne at crayne.org Mon Aug 21 19:16:37 2006 From: ccrayne at crayne.org (Charles A. Crayne) Date: Mon, 21 Aug 2006 12:16:37 -0700 Subject: Procmail, Spamassassin, and /etc/shadow In-Reply-To: <1156147025.19369.9.camel@metropolis.intra.city-fan.org> References: <20060816213810.3e5e5315@heimdall.crayne.org> <1155797847.21812.0.camel@metropolis.intra.city-fan.org> <20060817212234.6a5049a5@heimdall.crayne.org> <20060820211626.78abf1ae@heimdall.crayne.org> <1156147025.19369.9.camel@metropolis.intra.city-fan.org> Message-ID: <20060821121637.0e45ce98@heimdall.crayne.org> On Mon, 21 Aug 2006 08:57:05 +0100 Paul Howarth wrote: :Which selinux-policy version do you have? selinux-policy-2.3.3-8.fc5 -- Chuck From ccrayne at crayne.org Tue Aug 22 02:20:10 2006 From: ccrayne at crayne.org (Charles A. Crayne) Date: Mon, 21 Aug 2006 19:20:10 -0700 Subject: Please review allow rules Message-ID: <20060821192010.57e41681@heimdall.crayne.org> The following rule were created by audit2allow to enable my server to operate denial messages. If some kind sole would glance over them to see if they raise any red flags, I would appreciate it. allow fetchmail_t user_home_t:file { getattr ioctl read }; allow httpd_sys_script_t user_home_t:dir { getattr read remove_name rmdir search write }; allow httpd_sys_script_t user_home_t:file { append execute execute_no_trans getattr ioctl read unlink }; allow httpd_t snmpd_var_lib_t:file { getattr read }; allow httpd_t system_dbusd_var_run_t:dir { getattr read }; allow innd_t file_t:file { getattr ioctl read write }; allow innd_t home_root_t:dir search; allow innd_t tmp_t:dir search; allow innd_t user_home_t:file { getattr read }; allow procmail_t inaddr_any_node_t:tcp_socket node_bind; allow procmail_t innd_etc_t:dir search; allow procmail_t innd_etc_t:file read; allow procmail_t innd_exec_t:file { execute execute_no_trans read }; allow procmail_t innd_port_t:tcp_socket name_connect; allow procmail_t ls_exec_t:file { execute execute_no_trans getattr read }; allow procmail_t procmail_exec_t:file execute_no_trans; allow procmail_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl read }; allow procmail_t razor_port_t:tcp_socket name_connect; allow procmail_t smtp_port_t:tcp_socket name_connect; allow procmail_t tmp_t:dir { add_name create read remove_name rmdir search write }; allow procmail_t tmp_t:file { create getattr ioctl read unlink write }; allow procmail_t user_home_t:file { execute execute_no_trans }; allow spamd_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl read }; allow spamd_t user_home_dir_t:dir read; allow spamd_t user_home_dir_t:file { append getattr ioctl read }; allow xfs_t default_t:dir search; allow xfs_t default_t:file { getattr read }; -- Chuck From dwalsh at redhat.com Wed Aug 23 15:55:44 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 23 Aug 2006 11:55:44 -0400 Subject: A couple of mount AVCs In-Reply-To: <44E3316C.8000601@city-fan.org> References: <44E3316C.8000601@city-fan.org> Message-ID: <44EC7A80.9060605@redhat.com> Paul Howarth wrote: > Jason L Tibbitts III wrote: >> I'm experimenting with turning on Selinux for my FC5 desktops. I took >> a machine that was kickstated with "selinux --disabled", fully >> updated, edited /etc/sysconfig/selinux to change "disabled" to >> "enforcing", rebooted and waited for the relabel. >> >> Upon boot I get this twice: >> >> audit(1155677507.814:309): avc: denied { mounton } for pid=1566 >> comm="mount" name="mail" dev=dm-4 ino=393219 >> scontext=system_u:system_r:mount_t:s0 >> tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir >> >> /var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes >> that mount to fail. (Yes, IMAP will be my savior, but some people >> here still use /bin/mail. Really.) What's odd is that I can log in >> as root and type "mount /var/spool/mail" and it mounts fine. > > Unmount /var/spool/mail > > Try: > # service netfs start > > This should try and fail to do the mount, just as it does at boot time. > > Now try: > # chcon -t mnt_t /var/spool/mail > # service netfs start > > This time it should work. > >> We also have NFS-mounted user home directories via autofs; the map is >> in LDAP and nscd is running. Every attempt to access a user home >> directory results in: >> >> audit(1155738357.735:345): avc: denied { write } for pid=7344 >> comm="mount" name="socket" dev=dm-4 ino=131097 >> scontext=system_u:system_r:mount_t:s0 >> tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file >> audit(1155738357.735:346): avc: denied { write } for pid=7344 >> comm="mount" name="socket" dev=dm-4 ino=131097 >> scontext=system_u:system_r:mount_t:s0 >> tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file >> SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts >> >> and the mount actually succeeds. > > What's the output of: > # getsebool use_nfs_home_dirs > > It's probably set or you'd be having lots of other failures. It may be > something that needs dontaudit-ing since it's actually working OK. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list No it should be allowed, mount is trying to use nscd to look at user records. Updated policy with this allow. From dwalsh at redhat.com Wed Aug 23 18:29:31 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 23 Aug 2006 14:29:31 -0400 Subject: Please review allow rules In-Reply-To: <20060821192010.57e41681@heimdall.crayne.org> References: <20060821192010.57e41681@heimdall.crayne.org> Message-ID: <44EC9E8B.9090107@redhat.com> Charles A. Crayne wrote: > The following rule were created by audit2allow to enable my server to > operate denial messages. If some kind sole would glance over them to see > if they raise any red flags, I would appreciate it. > > allow fetchmail_t user_home_t:file { getattr ioctl read }; > allow httpd_sys_script_t user_home_t:dir { getattr read remove_name rmdir > search write }; > allow httpd_sys_script_t user_home_t:file { append execute > execute_no_trans getattr ioctl read unlink }; > This looks like you have a labeling problem on a directory and perhaps you do not have the correct boolean set for httpd? getsebool httpd_enable_homedirs Should be set to 1 if you want apache to be able to read homedirs. setsebool -P httpd_enable_homedirs=1 > allow httpd_t snmpd_var_lib_t:file { getattr read }; > allow httpd_t system_dbusd_var_run_t:dir { getattr read }; > allow innd_t file_t:file { getattr ioctl read write }; > This looks like a labeling problem. file_t should never be present on a system. I would recommend relabeling touch /.autorelabel; reboot > allow innd_t home_root_t:dir search; > allow innd_t tmp_t:dir search; > allow innd_t user_home_t:file { getattr read }; > allow procmail_t inaddr_any_node_t:tcp_socket node_bind; > allow procmail_t innd_etc_t:dir search; > allow procmail_t innd_etc_t:file read; > allow procmail_t innd_exec_t:file { execute execute_no_trans read }; > allow procmail_t innd_port_t:tcp_socket name_connect; > allow procmail_t ls_exec_t:file { execute execute_no_trans getattr read }; > allow procmail_t procmail_exec_t:file execute_no_trans; > allow procmail_t pyzor_exec_t:file { execute execute_no_trans getattr > ioctl read }; > allow procmail_t razor_port_t:tcp_socket name_connect; > allow procmail_t smtp_port_t:tcp_socket name_connect; > allow procmail_t tmp_t:dir { add_name create read remove_name rmdir search > write }; > allow procmail_t tmp_t:file { create getattr ioctl read unlink > write }; > allow procmail_t user_home_t:file { execute execute_no_trans }; > allow spamd_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl > read }; > allow spamd_t user_home_dir_t:dir read; > allow spamd_t user_home_dir_t:file { append getattr ioctl read }; > Do you have the spamd_enable_home_dirs boolean set? setsebool -P spamd_enable_home_dirs=1 > allow xfs_t default_t:dir search; > allow xfs_t default_t:file { getattr read }; > > -- Chuck > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From pvishnoi at networkprograms.com Fri Aug 25 16:15:47 2006 From: pvishnoi at networkprograms.com (Pranav Vishnoi) Date: Fri, 25 Aug 2006 21:45:47 +0530 Subject: Icons Disapperd References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> Message-ID: <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> I am using FC5 based devlopment enviroment for creating livecd. In live cd presently I am using selinux in permissive mode with targeted policy. But when I enabled selinux enforcing mode all the icons are disabled of taskbar with menus icon. I am unable to login as root from this machine or other machine by ssh. Provide document link for selinux used in FC5 From dwalsh at redhat.com Fri Aug 25 17:02:07 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 25 Aug 2006 13:02:07 -0400 Subject: Icons Disapperd In-Reply-To: <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> Message-ID: <44EF2D0F.9070700@redhat.com> Pranav Vishnoi wrote: > I am using FC5 based devlopment enviroment for creating livecd. > In live cd presently I am using selinux in permissive mode with targeted > policy. But when I enabled selinux enforcing mode all the icons are disabled > of taskbar with menus icon. > I am unable to login as root from this machine or other machine by ssh. > > Provide document link for selinux used in FC5 > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Sounds like you have a labeling problem. touch /.autorelabel reboot From pvishnoi at networkprograms.com Fri Aug 25 18:30:51 2006 From: pvishnoi at networkprograms.com (Pranav Vishnoi) Date: Sat, 26 Aug 2006 00:00:51 +0530 Subject: Icons Disapperd References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> <44EF2D0F.9070700@redhat.com> Message-ID: <04e601c6c874$9851d860$e5ca09c0@networkprograms.com> Thanks Daniel, I ahve some more queries relates with SELINUX, I am new user in selinux concepts, I am already downlaod all the documents related with selinux from redhat site. But I never found perfact solution for it. Can u tell me where i get training for selinux in India. I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 selinux I am using .te files and customized own local.te for LIVECD. But at the time of FC5 i disabled the selinux and create the development for it. After create development I unabled selinux in permissive mode to run successful all the components used in LIVECD (Remo). Please provide me more documents on selinux used in FC5 & RHEL4 ----- Original Message ----- From: "Daniel J Walsh" To: "Pranav Vishnoi" Cc: Sent: Friday, August 25, 2006 10:32 PM Subject: Re: Icons Disapperd > Pranav Vishnoi wrote: > > I am using FC5 based devlopment enviroment for creating livecd. > > In live cd presently I am using selinux in permissive mode with targeted > > policy. But when I enabled selinux enforcing mode all the icons are disabled > > of taskbar with menus icon. > > I am unable to login as root from this machine or other machine by ssh. > > > > Provide document link for selinux used in FC5 > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Sounds like you have a labeling problem. > > touch /.autorelabel > reboot > From sundaram at fedoraproject.org Fri Aug 25 18:58:49 2006 From: sundaram at fedoraproject.org (Rahul) Date: Sat, 26 Aug 2006 00:28:49 +0530 Subject: Icons Disapperd In-Reply-To: <04e601c6c874$9851d860$e5ca09c0@networkprograms.com> References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> <44EF2D0F.9070700@redhat.com> <04e601c6c874$9851d860$e5ca09c0@networkprograms.com> Message-ID: <44EF4869.1080007@fedoraproject.org> Pranav Vishnoi wrote: > Thanks Daniel, > > I ahve some more queries relates with SELINUX, > I am new user in selinux concepts, I am already downlaod all the documents > related with selinux from redhat site. > But I never found perfact solution for it. Can u tell me where i get > training for selinux in India. https://www.redhat.com/training/security/courses/. Check your nearest office. > > I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 > selinux I am using .te files and customized own local.te for LIVECD. > But at the time of FC5 i disabled the selinux and create the development for > it. > After create development I unabled selinux in permissive mode to run > successful all the components used in LIVECD (Remo). > Please provide me more documents on selinux used in FC5 & RHEL4 > http://fedoraproject.org/wiki/SELinux http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ Rahul From pvishnoi at networkprograms.com Fri Aug 25 19:39:44 2006 From: pvishnoi at networkprograms.com (Pranav Vishnoi) Date: Sat, 26 Aug 2006 01:09:44 +0530 Subject: Icons Disapperd References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> <44EF2D0F.9070700@redhat.com> <04e601c6c874$9851d860$e5ca09c0@networkprograms.com> <44EF4869.1080007@fedoraproject.org> Message-ID: <050501c6c87e$37c2ddf0$e5ca09c0@networkprograms.com> Thanks Rahul For giving me a certification details. But my problem is remain. I have some questions. 1.After setenforce 1 Iam unable to login root, Where I do changes to give access permision to root. It gives message wrong password. but when I do setenforce 0 there is no problem to login as root. 2. In live cd there is no procedure for auto relabel / structure. any short command for relabel / . 3. Can I replace policy.20 with policy.18 or used fc3 policy? ----- Original Message ----- From: "Rahul" To: "Pranav Vishnoi" Cc: "Daniel J Walsh" ; Sent: Saturday, August 26, 2006 12:28 AM Subject: Re: Icons Disapperd > Pranav Vishnoi wrote: > > Thanks Daniel, > > > > I ahve some more queries relates with SELINUX, > > I am new user in selinux concepts, I am already downlaod all the documents > > related with selinux from redhat site. > > But I never found perfact solution for it. Can u tell me where i get > > training for selinux in India. > > https://www.redhat.com/training/security/courses/. Check your nearest > office. > > > > > > I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 > > selinux I am using .te files and customized own local.te for LIVECD. > > But at the time of FC5 i disabled the selinux and create the development for > > it. > > After create development I unabled selinux in permissive mode to run > > successful all the components used in LIVECD (Remo). > > Please provide me more documents on selinux used in FC5 & RHEL4 > > > > http://fedoraproject.org/wiki/SELinux > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ > > Rahul From sundaram at fedoraproject.org Fri Aug 25 20:15:35 2006 From: sundaram at fedoraproject.org (Rahul) Date: Sat, 26 Aug 2006 01:45:35 +0530 Subject: Icons Disapperd In-Reply-To: <050501c6c87e$37c2ddf0$e5ca09c0@networkprograms.com> References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> <44EF2D0F.9070700@redhat.com> <04e601c6c874$9851d860$e5ca09c0@networkprograms.com> <44EF4869.1080007@fedoraproject.org> <050501c6c87e$37c2ddf0$e5ca09c0@networkprograms.com> Message-ID: <44EF5A67.6040808@fedoraproject.org> Pranav Vishnoi wrote: > Thanks Rahul > For giving me a certification details. > But my problem is remain. I have some questions. > 1.After setenforce 1 Iam unable to login root, Where I do changes to give > access permision to root. It gives message wrong password. but when I do > setenforce 0 > there is no problem to login as root. Then you need to look at AVC denied messages in /var/log/messages or /var/log/audit (if audit service is enabled) and post the messages to this list if you are unable to figure out and resolve it. > 2. In live cd there is no procedure for auto relabel / structure. any short > command for relabel / . relabel /. seems a rather short command to me. > 3. Can I replace policy.20 with policy.18 or used fc3 policy? > Usually a bad idea as newer policies tend to be better. Rahul From pvishnoi at networkprograms.com Fri Aug 25 23:01:15 2006 From: pvishnoi at networkprograms.com (Pranav Vishnoi) Date: Sat, 26 Aug 2006 04:31:15 +0530 Subject: Fw: Icons Disapperd Message-ID: <054601c6c89a$5e857080$e5ca09c0@networkprograms.com> I nevr found relabel/. command. any other command u have. Some selinux denied msg are written below, Plz check these denied messages & gives me some solution. I am attaching my local.te file. I am using this file to create local.pp then used semodule -i local.pp to install thismodule. Aug 26 11:40:39 remosecurity kernel: audit(1156572639.910:111): avc: denied { getattr } for pid=2041 comm="hald" name="/" dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Aug 26 00:51:17 remosecurity kernel: cdrom: This disc doesn't have any tracks I recognize! Aug 26 00:51:17 remosecurity kernel: audit(1156533677.305:112): avc: denied { getattr } for pid=2041 comm="hald" name="/" dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Aug 26 02:11:02 remosecurity kernel: audit(1156538462.736:115): avc: denied { search } for pid=2041 comm="hald" name="/" dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Aug 26 02:21:59 remosecurity kernel: audit(1156539119.081:116): avc: denied { getattr } for pid=2041 comm="hald" name="/" dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir 1:- Any other way to use this local.te. and when i change permission /etc/selinux/config enforcing. i have a session error whein I want to login. ----- Original Message ----- From: "Rahul" > To: "Pranav Vishnoi" > Cc: "Daniel J Walsh" ; > Sent: Saturday, August 26, 2006 1:45 AM > Subject: Re: Icons Disapperd > > > > Pranav Vishnoi wrote: > > > Thanks Rahul > > > For giving me a certification details. > > > But my problem is remain. I have some questions. > > > 1.After setenforce 1 Iam unable to login root, Where I do changes to > give > > > access permision to root. It gives message wrong password. but when I do > > > setenforce 0 > > > there is no problem to login as root. > > > > Then you need to look at AVC denied messages in /var/log/messages or > > /var/log/audit (if audit service is enabled) and post the messages to > > this list if you are unable to figure out and resolve it. > > > > > > > 2. In live cd there is no procedure for auto relabel / structure. any > short > > > command for relabel / . > > > > relabel /. seems a rather short command to me. > > > > > 3. Can I replace policy.20 with policy.18 or used fc3 policy? > > > > > > > Usually a bad idea as newer policies tend to be better. > > > > Rahul > -------------- next part -------------- A non-text attachment was scrubbed... Name: local.te Type: application/octet-stream Size: 24416 bytes Desc: not available URL: From dragoran at feuerpokemon.de Sat Aug 26 14:33:41 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Sat, 26 Aug 2006 16:33:41 +0200 Subject: Fw: Icons Disapperd In-Reply-To: <054601c6c89a$5e857080$e5ca09c0@networkprograms.com> References: <054601c6c89a$5e857080$e5ca09c0@networkprograms.com> Message-ID: <44F05BC5.9040505@feuerpokemon.de> Pranav Vishnoi wrote: > I nevr found relabel/. command. any other command u have. > > try /sbin/restorecon -v -R / From ccrayne at crayne.org Sun Aug 27 00:11:33 2006 From: ccrayne at crayne.org (Charles A. Crayne) Date: Sat, 26 Aug 2006 17:11:33 -0700 Subject: Please review allow rules In-Reply-To: <44EC9E8B.9090107@redhat.com> References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> Message-ID: <20060826171133.2cb3d7d1@heimdall.crayne.org> On Wed, 23 Aug 2006 14:29:31 -0400 Daniel J Walsh wrote: :This looks like you have a labeling problem on a directory and perhaps :you do not have the correct boolean set for httpd? Thank you for taking the time to try to help me, but alas, in the end, it all came to nothing. Both of the booleans you cited were already set, and relabeling did not fix the problems. -- Chuck From pvishnoi at networkprograms.com Mon Aug 28 14:39:58 2006 From: pvishnoi at networkprograms.com (Pranav Vishnoi) Date: Mon, 28 Aug 2006 20:09:58 +0530 Subject: Icons Disapperd References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> <44EF2D0F.9070700@redhat.com><04e601c6c874$9851d860$e5ca09c0@networkprograms.com><44EF4869.1080007@fedoraproject.org> <050501c6c87e$37c2ddf0$e5ca09c0@networkprograms.com> Message-ID: <01d101c6caaf$d739e120$e5ca09c0@networkprograms.com> I again relabel / by resoter cone command. but after create local.te run make -f Makefile, it makes local.pp file. using semodule -i local.pp, it gives a error message. libsepol.permission_copy_callback: Module local depends on permission getattr in class system, not satisfied libsemanage.semanage_link_sandbox: link package failed I have class system {getattr............} Provide me solution Pranav Vishnoi ----- Original Message ----- From: "Pranav Vishnoi" To: "Rahul" Cc: "Daniel J Walsh" ; Sent: Saturday, August 26, 2006 1:09 AM Subject: Re: Icons Disapperd > Thanks Rahul > For giving me a certification details. > But my problem is remain. I have some questions. > 1.After setenforce 1 Iam unable to login root, Where I do changes to give > access permision to root. It gives message wrong password. but when I do > setenforce 0 > there is no problem to login as root. > 2. In live cd there is no procedure for auto relabel / structure. any short > command for relabel / . > 3. Can I replace policy.20 with policy.18 or used fc3 policy? > > > ----- Original Message ----- > From: "Rahul" > To: "Pranav Vishnoi" > Cc: "Daniel J Walsh" ; > Sent: Saturday, August 26, 2006 12:28 AM > Subject: Re: Icons Disapperd > > > > Pranav Vishnoi wrote: > > > Thanks Daniel, > > > > > > I ahve some more queries relates with SELINUX, > > > I am new user in selinux concepts, I am already downlaod all the > documents > > > related with selinux from redhat site. > > > But I never found perfact solution for it. Can u tell me where i get > > > training for selinux in India. > > > > https://www.redhat.com/training/security/courses/. Check your nearest > > office. > > > > > > > > > > I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 > > > selinux I am using .te files and customized own local.te for LIVECD. > > > But at the time of FC5 i disabled the selinux and create the development > for > > > it. > > > After create development I unabled selinux in permissive mode to run > > > successful all the components used in LIVECD (Remo). > > > Please provide me more documents on selinux used in FC5 & RHEL4 > > > > > > > http://fedoraproject.org/wiki/SELinux > > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ > > > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From borzoi at caltanet.it Mon Aug 28 15:31:32 2006 From: borzoi at caltanet.it (Paolo D.) Date: Mon, 28 Aug 2006 17:31:32 +0200 Subject: Using seaudit-report to send reports per e-mail or post to an Intranet page Message-ID: <003a01c6cab7$12634780$f4bf6850@STEFANENKO> Hello everybody, in Red Hat SELinux Guide, paragraph 6.2.3, page 95 of 130, Kersten Wade wrote about seaudit-report: "The command lets you specify the incoming log source, either from files or STDIN, and output to a le or STDOUT as text or styled HTML. By piping through seaudit-report using STDIN and STDOUT, you can use this utility to generate automatic reports that can be sent via email or posted on an Intranet page." This solution is definitely interesting to me, have you code to implement it? Paolo De Nictolis -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Mon Aug 28 15:55:59 2006 From: jdennis at redhat.com (John Dennis) Date: Mon, 28 Aug 2006 11:55:59 -0400 Subject: Using seaudit-report to send reports per e-mail or post to an Intranet page In-Reply-To: <003a01c6cab7$12634780$f4bf6850@STEFANENKO> References: <003a01c6cab7$12634780$f4bf6850@STEFANENKO> Message-ID: <1156780559.2931.4.camel@localhost.localdomain> On Mon, 2006-08-28 at 17:31 +0200, Paolo D. wrote: > Hello everybody, > in Red Hat SELinux Guide, paragraph 6.2.3, page 95 of 130, Kersten > Wade wrote about seaudit-report: "The command lets you specify the > incoming log source, either from files or STDIN, and output to a le or > STDOUT as text or styled HTML. By piping through seaudit-report using > STDIN and STDOUT, you can use this utility to generate automatic > reports that can be sent via email or posted on an Intranet page." > This solution is definitely interesting to me, have you code to > implement it? This is not in reference to seaudit-report, but setroubleshoot does have the ability to agregate the analysis of AVC's and send email's to interested parties with the summary information. (Note, although this feature is in the current package it is being reworked this week to be more friendly and use HTML formatting). -- John Dennis From dwalsh at redhat.com Mon Aug 28 17:05:10 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 28 Aug 2006 13:05:10 -0400 Subject: Icons Disapperd In-Reply-To: <01d101c6caaf$d739e120$e5ca09c0@networkprograms.com> References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> <44EF2D0F.9070700@redhat.com><04e601c6c874$9851d860$e5ca09c0@networkprograms.com><44EF4869.1080007@fedoraproject.org> <050501c6c87e$37c2ddf0$e5ca09c0@networkprograms.com> <01d101c6caaf$d739e120$e5ca09c0@networkprograms.com> Message-ID: <44F32246.3080904@redhat.com> Pranav Vishnoi wrote: > I again relabel / by resoter cone command. > but after create local.te run make -f Makefile, it makes local.pp file. > using semodule -i local.pp, it gives a error message. > libsepol.permission_copy_callback: Module local depends on permission > getattr in class system, not satisfied > libsemanage.semanage_link_sandbox: link package failed > I have class system {getattr............} > Provide me solution > > Pranav Vishnoi > ----- Original Message ----- > From: "Pranav Vishnoi" > To: "Rahul" > Cc: "Daniel J Walsh" ; > Sent: Saturday, August 26, 2006 1:09 AM > Subject: Re: Icons Disapperd > > > >> Thanks Rahul >> For giving me a certification details. >> But my problem is remain. I have some questions. >> 1.After setenforce 1 Iam unable to login root, Where I do changes to give >> access permision to root. It gives message wrong password. but when I do >> setenforce 0 >> there is no problem to login as root. >> 2. In live cd there is no procedure for auto relabel / structure. any >> > short > >> command for relabel / . >> 3. Can I replace policy.20 with policy.18 or used fc3 policy? >> >> >> ----- Original Message ----- >> From: "Rahul" >> To: "Pranav Vishnoi" >> Cc: "Daniel J Walsh" ; >> Sent: Saturday, August 26, 2006 12:28 AM >> Subject: Re: Icons Disapperd >> >> >> >>> Pranav Vishnoi wrote: >>> >>>> Thanks Daniel, >>>> >>>> I ahve some more queries relates with SELINUX, >>>> I am new user in selinux concepts, I am already downlaod all the >>>> >> documents >> >>>> related with selinux from redhat site. >>>> But I never found perfact solution for it. Can u tell me where i get >>>> training for selinux in India. >>>> >>> https://www.redhat.com/training/security/courses/. Check your nearest >>> office. >>> >>> >>> >>>> I gives support LiveCd enviroment developed on Fedora Cores. Upto FC4 >>>> selinux I am using .te files and customized own local.te for LIVECD. >>>> But at the time of FC5 i disabled the selinux and create the >>>> > development > >> for >> >>>> it. >>>> After create development I unabled selinux in permissive mode to run >>>> successful all the components used in LIVECD (Remo). >>>> Please provide me more documents on selinux used in FC5 & RHEL4 >>>> >>>> >>> http://fedoraproject.org/wiki/SELinux >>> >>> > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ > >>> Rahul >>> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > You seem to have a badly mislabed machine. You probably need to log in to the machine in permissive mode and execute the following. touch /.autorelabel reboot From dwalsh at redhat.com Mon Aug 28 17:06:36 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 28 Aug 2006 13:06:36 -0400 Subject: Please review allow rules In-Reply-To: <20060826171133.2cb3d7d1@heimdall.crayne.org> References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <20060826171133.2cb3d7d1@heimdall.crayne.org> Message-ID: <44F3229C.3060807@redhat.com> Charles A. Crayne wrote: > On Wed, 23 Aug 2006 14:29:31 -0400 > Daniel J Walsh wrote: > > :This looks like you have a labeling problem on a directory and perhaps > :you do not have the correct boolean set for httpd? > > Thank you for taking the time to try to help me, but alas, in the end, it > all came to nothing. Both of the booleans you cited were already set, and > relabeling did not fix the problems. > > -- Chuck > Could you attach your current avc messages? From linux_4ever at yahoo.com Mon Aug 28 19:13:31 2006 From: linux_4ever at yahoo.com (Steve G) Date: Mon, 28 Aug 2006 12:13:31 -0700 (PDT) Subject: Using seaudit-report to send reports per e-mail or post to an Intranet page In-Reply-To: <003a01c6cab7$12634780$f4bf6850@STEFANENKO> Message-ID: <20060828191331.49837.qmail@web51503.mail.yahoo.com> >This solution is definitely interesting to me, have you code to implement it? The aureport command was intended to be the audit log reduction utility. It can provide lots of information about various aspects of the system beyond AVCs. for example, failed logins: aureport -ts today -l --failed failed syscalls: aureport -ts -i -s --failed failed file access: aureport -ts today -i -f --failed You can also get numeric summaries by adding --summary. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From paul at city-fan.org Tue Aug 29 07:44:42 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 29 Aug 2006 08:44:42 +0100 Subject: selinux-policy-2.3.3-8.fc5 In-Reply-To: <1154418404.18934.13.camel@laurel.intra.city-fan.org> References: <1154418404.18934.13.camel@laurel.intra.city-fan.org> Message-ID: <1156837482.5946.32.camel@metropolis.intra.city-fan.org> On Tue, 2006-08-01 at 08:46 +0100, Paul Howarth wrote: > ... includes this changelog entry: > > * Tue Jun 20 2006 Dan Walsh 2.2.47-5 > - Break out selinux-devel package > > but sadly it's not true :-( Happily it *is* true for selinux-policy-2.3.7-2.fc5; I trust this was intentional? I've updated http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules and http://www.city-fan.org/tips/BuildSeLinuxPolicyModules to simplify things now that the procedures for FC5 and FC6 onwards are identical. Paul. From dwalsh at redhat.com Tue Aug 29 13:47:02 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 29 Aug 2006 09:47:02 -0400 Subject: selinux-policy-2.3.3-8.fc5 In-Reply-To: <1156837482.5946.32.camel@metropolis.intra.city-fan.org> References: <1154418404.18934.13.camel@laurel.intra.city-fan.org> <1156837482.5946.32.camel@metropolis.intra.city-fan.org> Message-ID: <44F44555.2060206@redhat.com> Paul Howarth wrote: > On Tue, 2006-08-01 at 08:46 +0100, Paul Howarth wrote: > >> ... includes this changelog entry: >> >> * Tue Jun 20 2006 Dan Walsh 2.2.47-5 >> - Break out selinux-devel package >> >> but sadly it's not true :-( >> > > Happily it *is* true for selinux-policy-2.3.7-2.fc5; I trust this was > intentional? > Yes > I've updated > http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules and > http://www.city-fan.org/tips/BuildSeLinuxPolicyModules to simplify > things now that the procedures for FC5 and FC6 onwards are identical. > Thanks. > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From benjamin.tsai at intervideo.com Wed Aug 30 11:06:06 2006 From: benjamin.tsai at intervideo.com (Benjamin Tsai) Date: Wed, 30 Aug 2006 19:06:06 +0800 Subject: Red Hat SELinux Application Development Guide? Message-ID: <8EE726B05F4D0D42AE5F0E2BC03CCF530DD63F@TPE-EVS02.ivi.net> I googled-out this document for writing selinux-aware software application, but can't find any of a link from RedHat. Does this document exist? Besides, is there any tutorial for writing selinux-aware programs? I have read "Red Hat SELinux Guide", NSA "Implementing SELinux as a Linux Security Module," ... and some other documents about writing selinux policy. But still don't get it how to write such a program. Please give me some directions. Thx. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Wed Aug 30 11:57:55 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 30 Aug 2006 07:57:55 -0400 Subject: Red Hat SELinux Application Development Guide? In-Reply-To: <8EE726B05F4D0D42AE5F0E2BC03CCF530DD63F@TPE-EVS02.ivi.net> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DD63F@TPE-EVS02.ivi.net> Message-ID: <1156939075.22210.269.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-08-30 at 19:06 +0800, Benjamin Tsai wrote: > I googled-out this document for writing selinux-aware software > application, but can?t find any of a link from RedHat. > > Does this document exist? Besides, is there any tutorial for writing > selinux-aware programs? > > I have read ?Red Hat SELinux Guide?, NSA ?Implementing SELinux as a > Linux Security Module,? ? and some other documents about writing > selinux policy. > > But still don?t get it how to write such a program. Please give me > some directions. Thx. I don't think that such a guide was ever written, although Red Hat did contribute numerous individual man pages for libselinux functions (and other SELinux components). selinux-doc/PORTING (installed to /usr/share/doc/selinux-doc-x.y/PORTING) was a short summary of changes in the SELinux API for people porting code from the old (pre-2.6) SELinux to the new API. While written to a different audience, that document may be helpful to you. SELinux-aware applications fall into different categories; some of them are simply aware of security contexts (e.g. to get or set security contexts of processes or objects, to preserve security contexts on objects), some of them are using the SELinux API to get finer-grained protection than one can achieve via policy configuration alone, some of them are using the SELinux API to get policy decisions to enforce security policy over their own userspace objects and operations. You'll find examples throughout Fedora, plus the libselinux utils and policycoreutils included in the core SELinux userland. -- Stephen Smalley National Security Agency From jdennis at redhat.com Wed Aug 30 14:04:18 2006 From: jdennis at redhat.com (John Dennis) Date: Wed, 30 Aug 2006 10:04:18 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) Message-ID: <1156946658.18802.33.camel@finch.boston.redhat.com> We need an icon to be used on the desktop which is associated with SELinux. The first intended use would be the icon associated with setroubleshoot to indicate you have an SELinux issue to deal with. In the interim we've been using Tux with a badge, but we can't use Tux because of legal constraints (however, lets not go down that rathole in this thread :-). We can't use a police badge because that's very close to the icon used for consolehelper root access. So far we've come up with: * Traffic Light (indicates stop/go). * Crossed swords * Bobby hat (English policeman) We would like some suggestions, anybody have a good idea? Just remember it has to be identifiable at small sizes. Images associated with the NSA probably won't get warm feelings in a variety of places. -- John Dennis Red Hat Inc. From rirving at antient.org Wed Aug 30 14:33:38 2006 From: rirving at antient.org (Richard Irving) Date: Wed, 30 Aug 2006 10:33:38 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1156946658.18802.33.camel@finch.boston.redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> Message-ID: <44F5A1C2.2080007@antient.org> John Dennis wrote: >We need an icon to be used on the desktop which is associated with >SELinux. The first intended use would be the icon associated with >setroubleshoot to indicate you have an SELinux issue to deal with. > >In the interim we've been using Tux with a badge, but we can't use Tux >because of legal constraints (however, lets not go down that rathole in >this thread :-). > >We can't use a police badge because that's very close to the icon used >for consolehelper root access. > >So far we've come up with: > >* Traffic Light (indicates stop/go). > >* Crossed swords > >* Bobby hat (English policeman) > >We would like some suggestions, anybody have a good idea? Just remember >it has to be identifiable at small sizes. Images associated with the NSA >probably won't get warm feelings in a variety of places. > > Images associated with NSA won't go over well ? Hrmm.... maybe this is a *detailed* look and feel.... how about a star fish, inside an unbroken circle ? (It is ready made for O'Reilly ;-) PPS: The crossed swords have my vote, if you don't like the starfish. That, or you put the starfish inside a pentagon.....instead of an unbroken circle, just different enough from the original to be unique. It would then symbolize "isolation and containment".... aligning the stars legs to the corners of the pentagon, isolating each 5th of the pentagon from the other. Both are recognizable, but not too similar to familiar logo's among the puzzle palace crowd. (James Bamford, I am not.) Of course, you could use the silhouette of a piece of a jigsaw puzzle..... maybe with 5 "connectors", but that would be too obscure... Or, yet still, combine the elements, a jigsaw puzzle piece, with a starfish, inside a pentagon, on the surface of the puzzle piece. ;-) Of course, there is the idea of a simple old fashioned "Flask" as a logo...... maybe even an antique flask, like a goatskin wine canteen (Zahato). That idea has some style.... From MSchwartz at mn.rr.com Wed Aug 30 15:22:19 2006 From: MSchwartz at mn.rr.com (Marc Schwartz) Date: Wed, 30 Aug 2006 10:22:19 -0500 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F5A1C2.2080007@antient.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5A1C2.2080007@antient.org> Message-ID: Richard Irving wrote: > John Dennis wrote: > >> We need an icon to be used on the desktop which is associated with >> SELinux. The first intended use would be the icon associated with >> setroubleshoot to indicate you have an SELinux issue to deal with. >> >> In the interim we've been using Tux with a badge, but we can't use Tux >> because of legal constraints (however, lets not go down that rathole in >> this thread :-). Rathole? I thought Tux is a penguin... ;-) >> We can't use a police badge because that's very close to the icon used >> for consolehelper root access. >> >> So far we've come up with: >> >> * Traffic Light (indicates stop/go). >> >> * Crossed swords >> >> * Bobby hat (English policeman) >> >> We would like some suggestions, anybody have a good idea? Just remember >> it has to be identifiable at small sizes. Images associated with the NSA >> probably won't get warm feelings in a variety of places. It seems to me that (notwithstanding the political overtones) this position would be denying their significant contributions to this effort. Not just the organization as an entity, but that of key individuals. > Images associated with NSA won't go over well ? Hrmm.... maybe this is a > *detailed* look and feel.... how about a star fish, inside an unbroken > circle ? > > (It is ready made for O'Reilly ;-) O'Reilly already has their SELinux cover imagery (see McCarty's book) with Civil War era soldiers... :-) Though one could go further back than that in U.S. history to Paul Revere and the "Mechanics"... > PPS: The crossed swords have my vote, if you don't like the starfish. > > That, or you put the starfish inside a pentagon.....instead of an > unbroken circle, > just different enough from the original to be unique. It would then > symbolize > "isolation and containment".... aligning the stars legs to the corners > of the pentagon, > isolating each 5th of the pentagon from the other. > > Both are recognizable, but not too similar to familiar logo's among the > puzzle palace crowd. > > (James Bamford, I am not.) > > Of course, you could use the silhouette of a piece of a jigsaw > puzzle..... maybe with 5 "connectors", > but that would be too obscure... > > Or, yet still, combine the elements, a jigsaw puzzle piece, with a > starfish, inside a pentagon, > on the surface of the puzzle piece. ;-) > > Of course, there is the idea of a simple old fashioned "Flask" as a > logo...... maybe even an > antique flask, like a goatskin wine canteen (Zahato). That idea has some > style.... Filled with a good single malt? > Some interesting ideas. How about this one: A gold key, the shape of which is consistent with the key in the NSA logo being held onto by the eagle. Superimposed over the key is a red exclamation point or perhaps a red "I" information bubble icon. That's my 0.02 cents (or 0.0222 CD) ;-) Marc Schwartz From jdennis at redhat.com Wed Aug 30 16:30:20 2006 From: jdennis at redhat.com (John Dennis) Date: Wed, 30 Aug 2006 12:30:20 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5A1C2.2080007@antient.org> Message-ID: <1156955420.18802.76.camel@finch.boston.redhat.com> On Wed, 2006-08-30 at 10:22 -0500, Marc Schwartz wrote: > >> We would like some suggestions, anybody have a good idea? Just remember > >> it has to be identifiable at small sizes. Images associated with the NSA > >> probably won't get warm feelings in a variety of places. > > It seems to me that (notwithstanding the political overtones) this > position would be denying their significant contributions to this > effort. Not just the organization as an entity, but that of key > individuals. I did not mean to denigrate the contributions of the NSA nor anyone associated with it, rather I wanted draw attention to the power of images. Previous threads which considered a logo or icon for SELinux often saw suggestions related to the NSA, but this would be problematic. Perception is key in selecting iconography. Any visible suggestion that the software which has been installed on a user's system could be related to NSA monitoring will create barriers to acceptance. We're trying to dismantle the acceptance barriers, not erect new ones. Those of us involved in SELinux work clearly understand the technology has nothing to do with NSA monitoring but that is of little value when countering public perception fueled by uninformed conclusions. Bear in mind the iconography will be viewed not just by Linux geeks familiar with the technology and its history but potentially by any desktop user, domestic and international for whom this may be their first visible introduction to the technology. We don't want them to draw the false conclusion the NSA has tentacles into their private computer. -- John Dennis Red Hat Inc. From rirving at antient.org Wed Aug 30 16:45:20 2006 From: rirving at antient.org (Richard Irving) Date: Wed, 30 Aug 2006 12:45:20 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5A1C2.2080007@antient.org> Message-ID: <44F5C0A0.3060009@antient.org> Marc Schwartz wrote: > Richard Irving wrote: > >> >> Of course, there is the idea of a simple old fashioned "Flask" as a >> logo...... maybe even an >> antique flask, like a goatskin wine canteen (Zahato). That idea has >> some style.... > > > Filled with a good single malt? Only if it has been *properly* aged in a burnt oak barrel. ;-) > >> > imagination."> > > > Some interesting ideas. > > How about this one: > > A gold key, the shape of which is consistent with the key in the NSA > logo being held onto by the eagle. Superimposed over the key is a red > exclamation point or perhaps a red "I" information bubble icon. I like that. I also like the black and white alternating pentacle on the edge of the seal, it is distinctive symbol. How about combining idea's, as long as they still work at the icon level..... The flask (Bota) has an outline that conforms with many of the PHI curves, such as the nautilus, that trademark the Unix philosophy... (debian logo, the snail shell.... etc.) So does the pentacle, obviously. (Although, not -curves-...) A: The bota flask, with the alternating black and white pentacle, on the side.... with the Key superimposed over the pentacle... gives one an excuse to make the key "Golden", as well.... (this is rather simple) B: Or, the Golden key about to be inserted into a lock, the keyhole is located in the center of an alternating pentacle, perhaps in the interior pentagon.... With a golden or red capital "I", as the keyhole.... but the lock outline, describing the symbol PHI, using the I (the keyhole) as the center I of the phi symbol. (The outline of the lock forming the oblong O around the I) (this, a little more complex...) Another .02c, dreams are cheap. :-) > > That's my 0.02 cents (or 0.0222 CD) ;-) > > Marc Schwartz > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From pvishnoi at networkprograms.com Wed Aug 30 16:58:53 2006 From: pvishnoi at networkprograms.com (Pranav Vishnoi) Date: Wed, 30 Aug 2006 22:28:53 +0530 Subject: Icons Disapperd References: <20060821192010.57e41681@heimdall.crayne.org> <44EC9E8B.9090107@redhat.com> <04ab01c6c861$b9ec1e80$e5ca09c0@networkprograms.com> <44EF2D0F.9070700@redhat.com> <04e601c6c874$9851d860$e5ca09c0@networkprograms.com> <44EF4869.1080007@fedoraproject.org> Message-ID: <022401c6cc55$941e0680$e5ca09c0@networkprograms.com> Hi Rahul I have relabeled / by using fixfiles command & create new module using audit2allow command. But after done these things I have some problem related "ssh" & terminal icon placed in task bar. After do setenforce 1 1. My terminal is close automatically & I am unable to login after logout as root. 2. I have unable to connect that machine by the other machine using ssh. 3. Some errors related with G confd also presents icon place on taskbar. Please provide me a solution or any documentation. Regds Pranav Vishnoi From mschwartz at mn.rr.com Wed Aug 30 16:59:22 2006 From: mschwartz at mn.rr.com (Marc Schwartz (via MN)) Date: Wed, 30 Aug 2006 11:59:22 -0500 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1156955420.18802.76.camel@finch.boston.redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5A1C2.2080007@antient.org> <1156955420.18802.76.camel@finch.boston.redhat.com> Message-ID: <1156957162.4098.19.camel@localhost.localdomain> On Wed, 2006-08-30 at 12:30 -0400, John Dennis wrote: > On Wed, 2006-08-30 at 10:22 -0500, Marc Schwartz wrote: > > >> We would like some suggestions, anybody have a good idea? Just remember > > >> it has to be identifiable at small sizes. Images associated with the NSA > > >> probably won't get warm feelings in a variety of places. > > > > It seems to me that (notwithstanding the political overtones) this > > position would be denying their significant contributions to this > > effort. Not just the organization as an entity, but that of key > > individuals. > > I did not mean to denigrate the contributions of the NSA nor anyone > associated with it, rather I wanted draw attention to the power of > images. Previous threads which considered a logo or icon for SELinux > often saw suggestions related to the NSA, but this would be problematic. > > Perception is key in selecting iconography. Any visible suggestion that > the software which has been installed on a user's system could be > related to NSA monitoring will create barriers to acceptance. We're > trying to dismantle the acceptance barriers, not erect new ones. Those > of us involved in SELinux work clearly understand the technology has > nothing to do with NSA monitoring but that is of little value when > countering public perception fueled by uninformed conclusions. Bear in > mind the iconography will be viewed not just by Linux geeks familiar > with the technology and its history but potentially by any desktop user, > domestic and international for whom this may be their first visible > introduction to the technology. We don't want them to draw the false > conclusion the NSA has tentacles into their private computer. John, I appreciate the position. I did not mean to infer that the icon(s) needed to be overt representations based upon their logo, which in turn is tied to the commonality of official U.S. government logos. Something more subtle would still seem acceptable without invoking negative reactions, here and abroad. At some point, most security related iconography is going to be related to the fundamental issues inherent in this discussion, whether they be some form of badge/shield (police or military), swords (or more generally, weapons of some type) or something similar. That's why I referenced the key. It is something of a more general security symbol, while still tying back to the NSA in a more subtle fashion. As someone smarter than I once said: "Facts are negotiable, perception is reality" Having a daughter who just returned from spending five weeks in northern Uganda working with Invisible Children, I can certainly appreciate the power and impact of images... Thanks John. Regards, Marc From mschwartz at mn.rr.com Wed Aug 30 17:08:49 2006 From: mschwartz at mn.rr.com (Marc Schwartz (via MN)) Date: Wed, 30 Aug 2006 12:08:49 -0500 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F5C0A0.3060009@antient.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5A1C2.2080007@antient.org> <44F5C0A0.3060009@antient.org> Message-ID: <1156957729.4098.27.camel@localhost.localdomain> On Wed, 2006-08-30 at 12:45 -0400, Richard Irving wrote: > Marc Schwartz wrote: > > > Richard Irving wrote: > > > >> > >> Of course, there is the idea of a simple old fashioned "Flask" as a > >> logo...... maybe even an > >> antique flask, like a goatskin wine canteen (Zahato). That idea has > >> some style.... > > > > > > Filled with a good single malt? > > Only if it has been *properly* aged in a burnt oak barrel. ;-) Burnt oak barrels previously used to age Sherry... ;-) > > Some interesting ideas. > > > > How about this one: > > > > A gold key, the shape of which is consistent with the key in the NSA > > logo being held onto by the eagle. Superimposed over the key is a red > > exclamation point or perhaps a red "I" information bubble icon. > > I like that. I also like the black and white alternating pentacle on > the edge of the seal, it is distinctive symbol. > > How about combining idea's, as long as they still work at the icon > level..... > > The flask (Bota) has an outline that conforms with many of the PHI > curves, such as the nautilus, > that trademark the Unix philosophy... (debian logo, the snail > shell.... etc.) > > So does the pentacle, obviously. (Although, not -curves-...) > > A: > The bota flask, with the alternating black and white pentacle, on the > side.... > with the Key superimposed over the pentacle... gives one an excuse > to make the key "Golden", as well.... (this is rather simple) > > B: > Or, the Golden key about to be inserted into a lock, the keyhole is > located in > the center of an alternating pentacle, perhaps in the interior > pentagon.... > With a golden or red capital "I", as the keyhole.... but the lock > outline, > describing the symbol PHI, using the I (the keyhole) as the center > I of the phi symbol. (The outline of the lock forming the oblong O > around the I) > (this, a little more complex...) Phine ideas! ;-) > Another .02c, dreams are cheap. :-) Yes, but turning them in to reality is hard work indeed... :-) Cheers, Marc From nicolas.mailhot at laposte.net Wed Aug 30 22:46:43 2006 From: nicolas.mailhot at laposte.net (Nicolas Mailhot) Date: Thu, 31 Aug 2006 00:46:43 +0200 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1156955420.18802.76.camel@finch.boston.redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5A1C2.2080007@antient.org> <1156955420.18802.76.camel@finch.boston.redhat.com> Message-ID: <1156978003.20239.3.camel@rousalka.dyndns.org> I propose an Horus eye since selinux checks the system against forbidden accesses. I haven't the faintest idea if it's used by the NSA or anyone else (probably - it's an old a well-known symbol) -- Nicolas Mailhot -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Ceci est une partie de message num?riquement sign?e URL: From knute at frazmtn.com Wed Aug 30 23:26:59 2006 From: knute at frazmtn.com (Knute Johnson) Date: Wed, 30 Aug 2006 16:26:59 -0700 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1156946658.18802.33.camel@finch.boston.redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> Message-ID: <44F5BC53.26511.218358@knute.frazmtn.com> How about an alligator? knute... >We need an icon to be used on the desktop which is associated with >SELinux. The first intended use would be the icon associated with >setroubleshoot to indicate you have an SELinux issue to deal with. > >In the interim we've been using Tux with a badge, but we can't use Tux >because of legal constraints (however, lets not go down that rathole in >this thread :-). > >We can't use a police badge because that's very close to the icon used >for consolehelper root access. > >So far we've come up with: > >* Traffic Light (indicates stop/go). > >* Crossed swords > >* Bobby hat (English policeman) > >We would like some suggestions, anybody have a good idea? Just remember >it has to be identifiable at small sizes. Images associated with the NSA >probably won't get warm feelings in a variety of places. >-- >John Dennis >Red Hat Inc. > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Knute Johnson Molon Labe... From rirving at antient.org Wed Aug 30 23:31:24 2006 From: rirving at antient.org (Richard Irving) Date: Wed, 30 Aug 2006 19:31:24 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <1156978003.20239.3.camel@rousalka.dyndns.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5A1C2.2080007@antient.org> <1156955420.18802.76.camel@finch.boston.redhat.com> <1156978003.20239.3.camel@rousalka.dyndns.org> Message-ID: <44F61FCC.9080203@antient.org> Nicolas Mailhot wrote: >I propose an Horus eye since selinux checks the system against forbidden >accesses. I haven't the faintest idea if it's used by the NSA or anyone >else (probably - it's an old a well-known symbol) > > > Talk about "noiding the masses out", even kindly fatherly Darpa had to drop that from their "Scientia Est Potentia" campaign.... :-P McCarthyism, "born again" or not, is a double edged sword at best. I wonder who will deliver the "Have you no shame ?" speech *this* time... ;-P (Were these different times, your idea has merit... alas...) >------------------------------------------------------------------------ > >-- >fedora-selinux-list mailing list >fedora-selinux-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From nicolas.mailhot at laposte.net Wed Aug 30 23:33:36 2006 From: nicolas.mailhot at laposte.net (Nicolas Mailhot) Date: Thu, 31 Aug 2006 01:33:36 +0200 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F5BC53.26511.218358@knute.frazmtn.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> Message-ID: <1156980817.32575.0.camel@rousalka.dyndns.org> Le mercredi 30 ao?t 2006 ? 16:26 -0700, Knute Johnson a ?crit : > How about an alligator? Or the crocodile/monkey thing the egyptians had at judgement day -- Nicolas Mailhot -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Ceci est une partie de message num?riquement sign?e URL: From rirving at antient.org Wed Aug 30 23:54:42 2006 From: rirving at antient.org (Richard Irving) Date: Wed, 30 Aug 2006 19:54:42 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F5BC53.26511.218358@knute.frazmtn.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> Message-ID: <44F62542.5010705@antient.org> Knute Johnson wrote: >How about an alligator? > >knute... > > Hrmm.... a fresh idea. Interesting. A subtle derivative might be a Gecko in a London Fog, with the collar turned up.... But, I digress.... ;-) FWIW, I still like incorporating the "Key" idea, so far... I also like the "wine flask" (Bota) idea, but the black and white alternating pentacle, like the Horus Eye, may be over the top... then again, maybe not... it is a little more subtle. Another .02c. From daobrien at redhat.com Thu Aug 31 07:50:47 2006 From: daobrien at redhat.com (David O'Brien) Date: Thu, 31 Aug 2006 17:50:47 +1000 Subject: Red Hat SELinux Application Development Guide? In-Reply-To: <1156939075.22210.269.camel@moss-spartans.epoch.ncsc.mil> References: <8EE726B05F4D0D42AE5F0E2BC03CCF530DD63F@TPE-EVS02.ivi.net> <1156939075.22210.269.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200608311750.47683.daobrien@redhat.com> On Wednesday 30 August 2006 21:57, Stephen Smalley wrote: > On Wed, 2006-08-30 at 19:06 +0800, Benjamin Tsai wrote: > > I googled-out this document for writing selinux-aware software > > application, but can?t find any of a link from RedHat. > > > > Does this document exist? Besides, is there any tutorial for writing > > selinux-aware programs? > > > > I have read ?Red Hat SELinux Guide?, NSA ?Implementing SELinux as a > > Linux Security Module,? ? and some other documents about writing > > selinux policy. > > > > But still don?t get it how to write such a program. Please give me > > some directions. Thx. > > I don't think that such a guide was ever written, although Red Hat did > contribute numerous individual man pages for libselinux functions (and > other SELinux components). > > selinux-doc/PORTING (installed > to /usr/share/doc/selinux-doc-x.y/PORTING) was a short summary of > changes in the SELinux API for people porting code from the old > (pre-2.6) SELinux to the new API. While written to a different > audience, that document may be helpful to you. > > SELinux-aware applications fall into different categories; some of them > are simply aware of security contexts (e.g. to get or set security > contexts of processes or objects, to preserve security contexts on > objects), some of them are using the SELinux API to get finer-grained > protection than one can achieve via policy configuration alone, some of > them are using the SELinux API to get policy decisions to enforce > security policy over their own userspace objects and operations. You'll > find examples throughout Fedora, plus the libselinux utils and > policycoreutils included in the core SELinux userland. I've contacted Karsten Wade who was listed as the author of this and am waiting to hear. I didn't see it in any of the listed works in our current repo. -- David O'Brien Red Hat Asia Pacific Pty Ltd Tel: +61-7-3514-8189 Fax: +61-7-3514-8199 email: daobrien at redhat.com web: http://apac.redhat.com/ IRC: daobrien #docs #selinux #devel #doc-i18n From nicolas.mailhot at laposte.net Thu Aug 31 09:03:52 2006 From: nicolas.mailhot at laposte.net (Nicolas Mailhot) Date: Thu, 31 Aug 2006 11:03:52 +0200 (CEST) Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F62542.5010705@antient.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> Message-ID: <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> Le Jeu 31 ao?t 2006 01:54, Richard Irving a ?crit : > FWIW, I still like incorporating the "Key" idea, > so far... I also like the "wine flask" (Bota) idea, but > the black and white alternating pentacle, like the Horus Eye, may be > over the top... then again, maybe not... it is a little more subtle. Note that the original Horus Eye was painted on boats to protect them, which is exactly what selinux does. The spy associations came much later -- Nicolas Mailhot From nicolas.mailhot at laposte.net Thu Aug 31 09:13:06 2006 From: nicolas.mailhot at laposte.net (Nicolas Mailhot) Date: Thu, 31 Aug 2006 11:13:06 +0200 (CEST) Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> Message-ID: <9738.192.54.193.51.1157015586.squirrel@rousalka.dyndns.org> Le Jeu 31 ao?t 2006 11:03, Nicolas Mailhot a ?crit : > > Le Jeu 31 ao?t 2006 01:54, Richard Irving a ?crit : > >> FWIW, I still like incorporating the "Key" idea, >> so far... I also like the "wine flask" (Bota) idea, but >> the black and white alternating pentacle, like the Horus Eye, may be >> over the top... then again, maybe not... it is a little more subtle. > > Note that the original Horus Eye was painted on boats to protect them, > which is exactly what selinux does. The spy associations came much later (and you can probably disambiguate the meaning by drawing a trireme prow around it) -- Nicolas Mailhot From selinux at gmail.com Thu Aug 31 14:22:55 2006 From: selinux at gmail.com (Tom London) Date: Thu, 31 Aug 2006 07:22:55 -0700 Subject: Error with today's selinux-policy-targeted update Message-ID: <4c4ba1530608310722l1e9119ddq2452f7e784b89fc@mail.gmail.com> Running rawhide, targeted/enforcing. During today's update of selinux-policy-targeted-2.3.10-3, I get: Updating : selinux-policy-targeted ##################### [ 37/142] libsepol.print_missing_requirements: oddjob's global requirements were not met: type/attribute oddjob_mkhomedir_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! No obvious messages in /var/log/messages or /var/log/audit/audit.log tom -- Tom London From jmorris at namei.org Thu Aug 31 15:06:39 2006 From: jmorris at namei.org (James Morris) Date: Thu, 31 Aug 2006 11:06:39 -0400 (EDT) Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> Message-ID: What about something with a honeycomb structure, to suggest the compartmented nature of an SELinux system? Keys suggest crypto. - James -- James Morris From dwalsh at redhat.com Thu Aug 31 15:34:47 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Aug 2006 11:34:47 -0400 Subject: Error with today's selinux-policy-targeted update In-Reply-To: <4c4ba1530608310722l1e9119ddq2452f7e784b89fc@mail.gmail.com> References: <4c4ba1530608310722l1e9119ddq2452f7e784b89fc@mail.gmail.com> Message-ID: <44F70197.9090700@redhat.com> Tom London wrote: > Running rawhide, targeted/enforcing. > > During today's update of selinux-policy-targeted-2.3.10-3, I get: > > Updating : selinux-policy-targeted ##################### [ 37/142] > libsepol.print_missing_requirements: oddjob's global requirements were > not met: type/attribute oddjob_mkhomedir_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > No obvious messages in /var/log/messages or /var/log/audit/audit.log > > tom THanks fixed in tonights rawhide. From dwalsh at redhat.com Thu Aug 31 15:35:44 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Aug 2006 11:35:44 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> Message-ID: <44F701D0.10606@redhat.com> James Morris wrote: > What about something with a honeycomb structure, to suggest the > compartmented nature of an SELinux system? > > Keys suggest crypto. > > > > > - James > Another suggestion would be a shield, think Middle Ages. From andrew.suchoski at hp.com Thu Aug 31 15:55:23 2006 From: andrew.suchoski at hp.com (Andy Suchoski) Date: Thu, 31 Aug 2006 11:55:23 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F701D0.10606@redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> <44F701D0.10606@redhat.com> Message-ID: <44F7066B.1090207@hp.com> Daniel J Walsh wrote: > James Morris wrote: >> What about something with a honeycomb structure, to suggest the >> compartmented nature of an SELinux system? >> >> Keys suggest crypto. >> >> >> >> >> - James >> > Another suggestion would be a shield, think Middle Ages. How about something like a Tux with a sword and shield. http://www.barelyfitz.com/services/3d/tux-frontpage.jpg > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Thu Aug 31 16:03:33 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 Aug 2006 12:03:33 -0400 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F7066B.1090207@hp.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F5BC53.26511.218358@knute.frazmtn.com> <44F62542.5010705@antient.org> <36794.192.54.193.51.1157015032.squirrel@rousalka.dyndns.org> <44F701D0.10606@redhat.com> <44F7066B.1090207@hp.com> Message-ID: <44F70855.6060509@redhat.com> Andy Suchoski wrote: > Daniel J Walsh wrote: >> James Morris wrote: >>> What about something with a honeycomb structure, to suggest the >>> compartmented nature of an SELinux system? >>> >>> Keys suggest crypto. >>> >>> >>> >>> >>> - James >>> >> Another suggestion would be a shield, think Middle Ages. > > How about something like a Tux with a sword and shield. > > http://www.barelyfitz.com/services/3d/tux-frontpage.jpg > Cute but Tux/Penquins are not allowed. Also they want to avoid hats. > >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From lamont at gurulabs.com Thu Aug 31 16:31:14 2006 From: lamont at gurulabs.com (Lamont R. Peterson) Date: Thu, 31 Aug 2006 10:31:14 -0600 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F701D0.10606@redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F701D0.10606@redhat.com> Message-ID: <200608311031.15118.lamont@gurulabs.com> On Thursday 31 August 2006 09:35am, Daniel J Walsh wrote: [snip] > Another suggestion would be a shield, think Middle Ages. That reminds me of the AppArmor logo. Probably not a good idea because of that parallel. -- Lamont R. Peterson Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] NOTE: All messages from this email address should be digitally signed with my 0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as well as other keyservers that sync with MIT's. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From lamont at gurulabs.com Thu Aug 31 16:35:00 2006 From: lamont at gurulabs.com (Lamont R. Peterson) Date: Thu, 31 Aug 2006 10:35:00 -0600 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F70855.6060509@redhat.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F7066B.1090207@hp.com> <44F70855.6060509@redhat.com> Message-ID: <200608311035.00884.lamont@gurulabs.com> On Thursday 31 August 2006 10:03am, Daniel J Walsh wrote: > Andy Suchoski wrote: [snip] > Cute but Tux/Penquins are not allowed. Also they want to avoid hats. How about a maze with paths that lead to "rooms" inside, but no connections between the separate paths. The rooms could even have something in them to indicate they are "serving" different things. The outer wall could look like a computer case or motherboard. -- Lamont R. Peterson Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] NOTE: All messages from this email address should be digitally signed with my 0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as well as other keyservers that sync with MIT's. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From dragoran at feuerpokemon.de Thu Aug 31 16:50:12 2006 From: dragoran at feuerpokemon.de (dragoran) Date: Thu, 31 Aug 2006 18:50:12 +0200 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <200608311035.00884.lamont@gurulabs.com> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <44F7066B.1090207@hp.com> <44F70855.6060509@redhat.com> <200608311035.00884.lamont@gurulabs.com> Message-ID: <44F71344.7040303@feuerpokemon.de> Lamont R. Peterson wrote: > On Thursday 31 August 2006 10:03am, Daniel J Walsh wrote: > >> Andy Suchoski wrote: >> > [snip] > >> Cute but Tux/Penquins are not allowed. Also they want to avoid hats. >> > > How about a maze with paths that lead to "rooms" inside, but no connections > between the separate paths. > > The rooms could even have something in them to indicate they are "serving" > different things. > > The outer wall could look like a computer case or motherboard. > > that wont work as a small icon > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From lamont at gurulabs.com Thu Aug 31 17:09:30 2006 From: lamont at gurulabs.com (Lamont R. Peterson) Date: Thu, 31 Aug 2006 11:09:30 -0600 Subject: suggest an icon for selinux (e.g. setroubleshoot) In-Reply-To: <44F71344.7040303@feuerpokemon.de> References: <1156946658.18802.33.camel@finch.boston.redhat.com> <200608311035.00884.lamont@gurulabs.com> <44F71344.7040303@feuerpokemon.de> Message-ID: <200608311109.30745.lamont@gurulabs.com> On Thursday 31 August 2006 10:50am, dragoran wrote: > Lamont R. Peterson wrote: > > On Thursday 31 August 2006 10:03am, Daniel J Walsh wrote: > >> Andy Suchoski wrote: > > > > [snip] > > > >> Cute but Tux/Penquins are not allowed. Also they want to avoid hats. > > > > How about a maze with paths that lead to "rooms" inside, but no > > connections between the separate paths. > > > > The rooms could even have something in them to indicate they are > > "serving" different things. > > > > The outer wall could look like a computer case or motherboard. > > that wont work as a small icon You have a good point, there. It would have to be kept simple. It could work as a small icon, by just drawing only a small part, such as only 2 rooms with short paths and let the rest "fade out" into the "distance" (i.e., let further walls be truncated). I realized while I was suggesting it that this could easily become too complicated to work well for an icon type logo. Still, I put the idea out there, we just have to suppress our tendency to want to see the whole big picture at once and, instead, just zoom in to show only enough to clearly see that which sets SELinux apart (pun intended). -- Lamont R. Peterson Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] NOTE: All messages from this email address should be digitally signed with my 0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as well as other keyservers that sync with MIT's. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From icebarron at yahoo.com Wed Aug 9 02:45:23 2006 From: icebarron at yahoo.com (Icebarron) Date: Wed, 09 Aug 2006 02:45:23 -0000 Subject: un In-Reply-To: <20060808160013.C7B7C73279@hormel.redhat.com> Message-ID: <20060809024510.26675.qmail@web33506.mail.mud.yahoo.com> unsubscribe -------------- next part -------------- An HTML attachment was scrubbed... URL: