From stefano at proinco.net Fri Dec 1 17:00:14 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 1 Dec 2006 09:00:14 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 1 Message-ID: <20061201170014.7114.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From dlopez at humnet.ucla.edu Fri Dec 1 20:36:46 2006 From: dlopez at humnet.ucla.edu (Lopez, Denise) Date: Fri, 1 Dec 2006 12:36:46 -0800 Subject: SELinux troubleshooting Message-ID: Hello everyone, I keep getting the following messages in my messages log about every 30 seconds or so. I have SELinux set to enforcing and targeted mode. If I do a getenforce on the command line it returns enforcing. Dec 1 12:31:03 dev kernel: audit(1165005063.015:258313): avc: denied { getattr } for pid=31342 comm="snmpd" name="/" dev=sda3 ino=2 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:home_root_t tclass=dir I need help deciphering what is happening. I have a snmpd daemon running that responds to queries from a Nagios host that performs service checks. Thanks in advance. Denise Lopez UCLA Center for Digital Humanities Network Services Systems Engineer 337 Charles E. Young Drive East PPB 1020 Los Angeles, CA 90095 310/206-8216 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Fri Dec 1 21:59:05 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 01 Dec 2006 16:59:05 -0500 Subject: SELinux troubleshooting In-Reply-To: References: Message-ID: <4570A5A9.6000106@redhat.com> Lopez, Denise wrote: > > Hello everyone, > > I keep getting the following messages in my messages log about every > 30 seconds or so. I have SELinux set to enforcing and targeted mode. > If I do a getenforce on the command line it returns enforcing. > > Dec 1 12:31:03 dev kernel: audit(1165005063.015:258313): avc: denied > { getattr } for pid=31342 comm="snmpd" name="/" dev=sda3 ino=2 > scontext=system_u:system_r:snmpd_t > tcontext=system_u:object_r:home_root_t tclass=dir > > I need help deciphering what is happening. I have a snmpd daemon > running that responds to queries from a Nagios host that performs > service checks. > snmp is trying to getattr /home. Which is being denied by SELinux. The latest policy looks like this is allowed. So you can either update to the latest policy, or you can use grep snmpd_t /var/log/audit/audit.log | audit2allow -M mysnmp And load your own custom policy. > Thanks in advance. > > Denise Lopez > > UCLA Center for Digital Humanities > > Network Services > > Systems Engineer > > 337 Charles E. Young Drive East > > PPB 1020 > > Los Angeles, CA 90095 > > 310/206-8216 > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From stefano at proinco.net Sat Dec 2 17:00:19 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 2 Dec 2006 09:00:19 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 2 Message-ID: <20061202170019.12555.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From mantaray_1 at cox.net Sat Dec 2 20:05:40 2006 From: mantaray_1 at cox.net (Ken) Date: Sat, 02 Dec 2006 13:05:40 -0700 Subject: Firefox on strict policy In-Reply-To: <456F3451.3040305@redhat.com> References: <45671179.90005@cox.net> <456B422B.1030206@redhat.com> <456EFE83.10200@cox.net> <456F0CFD.9090300@redhat.com> <456F2B95.3000805@cox.net> <456F3451.3040305@redhat.com> Message-ID: <4571DC94.9050102@cox.net> I used grep as well. Adding a boolean sounds like a great idea. -Ken- Daniel J Walsh wrote: > Ken wrote: >> Thank you for your response. I inadvertently sent my response to the >> previous message to your address rather than the list, and later >> posted it to the list. I noticed that you did not send this reply to >> the list so I did not know if it was appropriate to post my response >> on the list or not, and I chose not to. I have already written a >> program/script which removed the"dontaudit" statements from the ".te" >> files in the policy while I was in the process of troubleshooting >> this problem. This was helpful, but I have noticed dontaudit >> statements occurring in other files as well, and I am interested in >> learning more about the enableaudit module. I searched my hard drive >> for the source code and did not find it. Where can I find the source >> code for the module? >> >> -Ken- >> > I have no problem if this is on list. Problem is I am not sure which > list it belongs to. > enableaudit.pp is created from the same source file as the rest of the > code. Basically it uses the grep -v dontaudit out of the policy file > and rebuilds. So I am sure you did the same thing. The plan is to > eventually add some kind of boolean to turn on/off dontaudit rules. >> Daniel J Walsh wrote: >>> Ken wrote: >>>> Thanks for the suggestion, but it was not labeling. It appears to >>>> have had something to do with mls, although I have not had the time >>>> to figure out exactly what. I changed all the mls levels to s0 and >>>> the problem went away. It sure would be nice if there were a >>>> feature to disable all "dontaudit" statements for policy debugging. >>>> >>> semodule -b /usr/share/selinux/mls/enableaudit.pp >>> >>>> -Ken- >>>> >>>> Daniel J Walsh wrote: >>>>> Ken wrote: >>>>>> I am attempting to get a strict policy working on my FC-6 system >>>>>> (version 2.4.3-2.fc6). I have successfully created a user >>>>>> account, and I can log both the root and the user account into >>>>>> the GUI. I am attempting to get Firefox to work and I am having >>>>>> difficulties. If I click on the Firefox icon, I see the program >>>>>> listed as opening, and it stays that way for a few seconds and >>>>>> then disappears. If I check the message log (var/log/messages), >>>>>> there are no messages (either avc or other) generated as a result >>>>>> of the attempt. This only happens when the policy is enforcing. >>>>>> When the policy is is not enforcing, Firefox loads properly -- >>>>>> also with no messages. I have noticed that Firefox is not >>>>>> writing to its .mozilla folder when the policy is enforcing, and >>>>>> that it does write to several files in this folder when it loads >>>>>> properly. This problem affects both my user account and the root >>>>>> account. Can someone please explain why I am not receiving any >>>>>> error messages (or any messages at all), and let me know what >>>>>> needs to be changed in order to load Firefox? >>>>>> >>>>>> -- >>>>>> fedora-selinux-list mailing list >>>>>> fedora-selinux-list at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> check /var/log/audit/audit.log for avc messages. >>>>> >>>>> I would guess you have a labeling problem on your home dir. >>>>> >>>>> restorecon -R -v ~/ >>>>> >>> >>> > > From borzoi at caltanet.it Sun Dec 3 11:58:10 2006 From: borzoi at caltanet.it (Paolo D.) Date: Sun, 3 Dec 2006 12:58:10 +0100 Subject: References on use of cryptography in SELinux Message-ID: <002901c716d2$5e8cfdb0$02bf6850@STEFANENKO> Hello everybody, for a specialistic work, I need to try references on Subject argument. Paolo -------------- next part -------------- An HTML attachment was scrubbed... URL: From linux_4ever at yahoo.com Sun Dec 3 14:52:41 2006 From: linux_4ever at yahoo.com (Steve G) Date: Sun, 3 Dec 2006 06:52:41 -0800 (PST) Subject: References on use of cryptography in SELinux In-Reply-To: <002901c716d2$5e8cfdb0$02bf6850@STEFANENKO> Message-ID: <106697.40158.qm@web51507.mail.yahoo.com> >for a specialistic work, I need to try references on Subject argument. SE Linux does not encrypt/decrypt anything. Its just an access control mechanism for many different kinds of resources. -Steve ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com From stefano at proinco.net Sun Dec 3 17:00:16 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 3 Dec 2006 09:00:16 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 3 Message-ID: <20061203170016.14859.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From skadz1 at gmail.com Sun Dec 3 19:48:46 2006 From: skadz1 at gmail.com (Ryan Skadberg) Date: Sun, 3 Dec 2006 14:48:46 -0500 Subject: Nagios Web Interface and SELinux Message-ID: <8719b8230612031148x69f8ba99q2d75173b5468733e@mail.gmail.com> I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably. When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I noticed in the selinux-policy-targeted Changelog: * Wed Jul 26 2006 Dan Walsh 2.3.3-13 - Add nagios policy This may have been for the program itself or maybe the web interface, but it sure doesn't seem to be working for me. Both systems are set to: SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0 Anyone have any advice on how to fix this? Thanks! Skadz From dwalsh at redhat.com Mon Dec 4 16:50:30 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Dec 2006 11:50:30 -0500 Subject: Nagios Web Interface and SELinux In-Reply-To: <8719b8230612031148x69f8ba99q2d75173b5468733e@mail.gmail.com> References: <8719b8230612031148x69f8ba99q2d75173b5468733e@mail.gmail.com> Message-ID: <457451D6.9050209@redhat.com> Ryan Skadberg wrote: > I have been trying to get nagios up and running on 2 different > machines. One running FC5 and one running FC6. Nagios itself starts > up fine, but the web interface fails miserably. > > When looking at /var/log/messages, I see things like: > Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied > { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" > dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > Where is this file located? Looks like this needs a context like httpd_sys_content_t or httpd_sys_script_t. chcon -R -t httpd_sys_content_t PATH_TO_DIR > I noticed in the selinux-policy-targeted Changelog: > > * Wed Jul 26 2006 Dan Walsh 2.3.3-13 > - Add nagios policy > > This may have been for the program itself or maybe the web interface, > but it sure doesn't seem to be working for me. > > Both systems are set to: > > SELINUX=enforcing > SELINUXTYPE=targeted > SETLOCALDEFS=0 > > Anyone have any advice on how to fix this? > > Thanks! > Skadz > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From stefano at proinco.net Mon Dec 4 17:00:17 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 4 Dec 2006 09:00:17 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 4 Message-ID: <20061204170017.13423.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From dlopez at humnet.ucla.edu Tue Dec 5 00:37:44 2006 From: dlopez at humnet.ucla.edu (Lopez, Denise) Date: Mon, 4 Dec 2006 16:37:44 -0800 Subject: SELinux troubleshooting In-Reply-To: <4570A5A9.6000106@redhat.com> Message-ID: Dear Daniel, Thanks for the help. I decided to create a custom policy with audit2allow. It seemed to work since I am not getting any more avc denied messages. I did see the following errors though and I was wondering what they meant. This means the custom policy was applied. Dec 4 15:45:10 dev kernel: security: 3 users, 4 roles, 355 types, 26 bools Dec 4 15:45:10 dev kernel: security: 55 classes, 22587 rules I was just wondering what these meant? Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327 uid=81 loginuid=-1 message=avc: received policyload notice (seqno=3) Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327 uid=81 loginuid=-1 message=avc: 0 AV entries and 0/512 buckets used, longest chain length 0 Thanks in advance. Denise Lopez UCLA Center for Digital Humanities Network Services Systems Engineer 337 Charles E. Young Drive East PPB 1020 Los Angeles, CA 90095 310/206-8216 -----Original Message----- From: Daniel J Walsh [mailto:dwalsh at redhat.com] Sent: Friday, December 01, 2006 1:59 PM To: Lopez, Denise Cc: fedora-selinux-list at redhat.com Subject: Re: SELinux troubleshooting Lopez, Denise wrote: > > Hello everyone, > > I keep getting the following messages in my messages log about every > 30 seconds or so. I have SELinux set to enforcing and targeted mode. > If I do a getenforce on the command line it returns enforcing. > > Dec 1 12:31:03 dev kernel: audit(1165005063.015:258313): avc: denied > { getattr } for pid=31342 comm="snmpd" name="/" dev=sda3 ino=2 > scontext=system_u:system_r:snmpd_t > tcontext=system_u:object_r:home_root_t tclass=dir > > I need help deciphering what is happening. I have a snmpd daemon > running that responds to queries from a Nagios host that performs > service checks. > snmp is trying to getattr /home. Which is being denied by SELinux. The latest policy looks like this is allowed. So you can either update to the latest policy, or you can use grep snmpd_t /var/log/audit/audit.log | audit2allow -M mysnmp And load your own custom policy. > Thanks in advance. > > Denise Lopez > > UCLA Center for Digital Humanities > > Network Services > > Systems Engineer > > 337 Charles E. Young Drive East > > PPB 1020 > > Los Angeles, CA 90095 > > 310/206-8216 > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From eparis at redhat.com Tue Dec 5 11:55:05 2006 From: eparis at redhat.com (Eric Paris) Date: Tue, 05 Dec 2006 06:55:05 -0500 Subject: SELinux troubleshooting In-Reply-To: References: Message-ID: <1165319705.8203.12.camel@localhost.localdomain> On Mon, 2006-12-04 at 16:37 -0800, Lopez, Denise wrote: > Dear Daniel, > > Thanks for the help. I decided to create a custom policy with > audit2allow. It seemed to work since I am not getting any more avc > denied messages. I did see the following errors though and I was > wondering what they meant. > > This means the custom policy was applied. > Dec 4 15:45:10 dev kernel: security: 3 users, 4 roles, 355 types, 26 > bools > Dec 4 15:45:10 dev kernel: security: 55 classes, 22587 rules > > I was just wondering what these meant? > Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327 > uid=81 loginuid=-1 message=avc: received policyload notice (seqno=3) > Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327 > uid=81 loginuid=-1 message=avc: 0 AV entries and 0/512 buckets used, > longest chain length 0 Sounds like Red Hat BZ 218207 If you have some clear steps to reliably reproduce I think they would be very interested in that BZ. -Eric From stefano at proinco.net Tue Dec 5 17:00:22 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 5 Dec 2006 09:00:22 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 5 Message-ID: <20061205170022.10687.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From linux_4ever at yahoo.com Tue Dec 5 20:53:57 2006 From: linux_4ever at yahoo.com (Steve G) Date: Tue, 5 Dec 2006 12:53:57 -0800 (PST) Subject: SELinux troubleshooting In-Reply-To: <1165319705.8203.12.camel@localhost.localdomain> Message-ID: <937848.90060.qm@web51511.mail.yahoo.com> >> Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327 >> uid=81 loginuid=-1 message=avc: received policyload notice (seqno=3) >> Dec 4 15:45:10 dev dbus: Can't send to audit system: USER_AVC pid=3327 >> uid=81 loginuid=-1 message=avc: 0 AV entries and 0/512 buckets used, >> longest chain length 0 > >Sounds like Red Hat BZ 218207 If you have some clear steps to reliably >reproduce I think they would be very interested in that BZ. No, not at all. These are harmless messages sent by dbus that have nothing to do with BZ 218207. The first one is dbus not having the right capabilities to send an audit message, but it sends it to syslog just in case. The second one is some performance statistics that libselinux felt compelled to send. Both of these are harmless messages. -Steve ____________________________________________________________________________________ Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com From stefano at proinco.net Wed Dec 6 17:00:31 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 6 Dec 2006 09:00:31 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 6 Message-ID: <20061206170031.21679.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From stefano at proinco.net Thu Dec 7 17:00:15 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 7 Dec 2006 09:00:15 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 7 Message-ID: <20061207170015.654.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From mattdm at mattdm.org Fri Dec 8 14:47:49 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Fri, 8 Dec 2006 09:47:49 -0500 Subject: permission denied errors upgrading kernel Message-ID: <20061208144749.GA12631@jadzia.bu.edu> So, I'm trying to back myself out of having the non-working 2.6.19 kernel packages installed in rawhide. What's up with these errors? $ ls kernel-*.rpm kernel-2.6.18-1.2849.fc6.x86_64.rpm kernel-devel-2.6.18-1.2849.fc6.x86_64.rpm kernel-headers-2.6.18-1.2849.fc6.x86_64.rpm $ sudo rpm -ivh kernel-* Preparing... ########################################### [100%] 1:kernel-headers ########################################### [33%] 2:kernel ########################################### [67%] cp: cannot set setfscreatecon `system_u:object_r:sbin_t:s0': Permission denied cp: cannot set setfscreatecon `system_u:object_r:insmod_exec_t:s0': Permission denied cp: cannot set setfscreatecon `system_u:object_r:lvm_exec_t:s0': Permission denied 3:kernel-devel ########################################### [100%] This is accompanied by a bunch of this in the log: audit(1165588655.467:18): avc: denied { setfscreate } for pid=3096 comm="cp" scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:bootloader_t:s0 tclass=process audit(1165588655.563:19): avc: denied { execute_no_trans } for pid=3097 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.563:20): avc: denied { execute_no_trans } for pid=3098 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.599:21): avc: denied { execute_no_trans } for pid=3099 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.615:22): avc: denied { execute_no_trans } for pid=3100 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.639:23): avc: denied { execute_no_trans } for pid=3101 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=3112970 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.663:24): avc: denied { execute_no_trans } for pid=3102 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=3112970 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.691:25): avc: denied { setfscreate } for pid=3108 comm="cp" scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:bootloader_t:s0 tclass=process audit(1165588655.695:26): avc: denied { execute_no_trans } for pid=3109 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.699:27): avc: denied { execute_no_trans } for pid=3110 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.699:28): avc: denied { execute_no_trans } for pid=3111 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.699:29): avc: denied { execute_no_trans } for pid=3112 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.699:30): avc: denied { execute_no_trans } for pid=3113 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=3112970 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588655.703:31): avc: denied { execute_no_trans } for pid=3114 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=3112970 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588656.087:32): avc: denied { setfscreate } for pid=3184 comm="cp" scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:bootloader_t:s0 tclass=process audit(1165588656.091:33): avc: denied { execute_no_trans } for pid=3185 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588656.095:34): avc: denied { execute_no_trans } for pid=3186 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588656.095:35): avc: denied { execute_no_trans } for pid=3187 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588656.095:36): avc: denied { execute_no_trans } for pid=3188 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=950275 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588656.099:37): avc: denied { execute_no_trans } for pid=3189 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=3112970 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file audit(1165588656.099:38): avc: denied { execute_no_trans } for pid=3190 comm="mkinitrd" name="ld-2.5.90.so" dev=dm-0 ino=3112970 scontext=user_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file Thank you, SE Linux! I haven't rebooted yet, but presumably it isn't gonna be happy. How do I fix this? How do I make this not ever happen? How can I tell that it was going to happen BEFORE it happens? -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From mattdm at mattdm.org Fri Dec 8 15:35:09 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Fri, 8 Dec 2006 10:35:09 -0500 Subject: permission denied errors upgrading kernel In-Reply-To: <20061208144749.GA12631@jadzia.bu.edu> References: <20061208144749.GA12631@jadzia.bu.edu> Message-ID: <20061208153509.GA15942@jadzia.bu.edu> On Fri, Dec 08, 2006 at 09:47:49AM -0500, Matthew Miller wrote: > cp: cannot set setfscreatecon `system_u:object_r:sbin_t:s0': Permission denied > cp: cannot set setfscreatecon `system_u:object_r:insmod_exec_t:s0': Permission denied > cp: cannot set setfscreatecon `system_u:object_r:lvm_exec_t:s0': Permission denied [...] > I haven't rebooted yet, but presumably it isn't gonna be happy. Yep, can't exec init. Thank you, SE Linux! That's about as secure as a computer can get. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From stefano at proinco.net Fri Dec 8 17:00:20 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 8 Dec 2006 09:00:20 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 8 Message-ID: <20061208170020.19472.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From stefano at proinco.net Sat Dec 9 17:00:13 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 9 Dec 2006 09:00:13 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 9 Message-ID: <20061209170013.319.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From stefano at proinco.net Sun Dec 10 17:00:15 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 10 Dec 2006 09:00:15 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 10 Message-ID: <20061210170015.9631.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From mayerf at tresys.com Mon Dec 11 14:05:41 2006 From: mayerf at tresys.com (Frank L. Mayer) Date: Mon, 11 Dec 2006 09:05:41 -0500 Subject: Speakers for 3rd SELinux Symposium (Registration opens) Message-ID: <3F5870E81362A647A4DA1D0DF8F10268772053@exchange.columbia.tresys.com> All, we have announced the speakers for the 3rd SELinux Symposium, which will be held in Baltimore, Maryland on 12-16 March 2007. You can see the agenda, paper and tutorial abstracts, and registration information at the web site: www.selinux-symposium.org. Below is the text from the press release. Hope you can join us again at this conference. Thanks to all the authors who submitted papers. You can still participate by submitting case study and works-in-progress proposals (see web site). Frank =============================================================== Speakers Confirmed for the Third Annual Security Enhanced Linux Symposium and Developer Summit Event Slated for March 12-16, 2007 in Baltimore, Maryland, USA Baltimore, Maryland-December 11, 2006 - The Security Enhanced Linux (SELinux) Symposium announces papers and speakers for its third annual symposium. Experts from business, government, and academia will share and discuss the latest SELinux application experience, research and development results, and product plans. The event explores the popular SELinux technology and the power of flexible mandatory access control in Linux. Registration for the SELinux Symposium, scheduled for March 12-16, 2007 in Baltimore, Maryland, is now open at www.selinux-symposium.org. The Third SELinux Symposium features two full days of SELinux-related tutorials followed by a two-day technical agenda that includes papers, presentations, and case studies by experts and practitioners with SELinux. Topics for the symposium include changes and extensions to the core SELinux technology, advances in SELinux policy management and development, and the use of SELinux to build secure system solutions. The symposium also includes an invitation-only SELinux developer summit, where the core developers and contributors of SELinux discuss upcoming technology changes, requirements, and plans. Papers for the symposium were selected via a community review process and include authors from several organizations, including atsec, Hewlett-Packard, IBM, Pennsylvania State University, Red Hat, SPARTA, Tresys Technology, University of Maryland-Baltimore County, U.S. Joint Forces Command, and the U.S. National Security Agency. The full agenda for the symposium is available at www.selinux-symposium.org. About the SELinux Symposium The Security Enhanced Linux (SELinux) Symposium is an annual exchange of ideas, technology, and research involving SELinux. SELinux is emerging technology that adds flexible, strong mandatory access control security to Linux. The third annual symposium is scheduled for March 12-16, 2007 in Baltimore, Maryland, USA. This year's symposium is sponsored by Hewlett-Packard, IBM, Red Hat, and Tresys Technology. The event brings together experts from business, government, and academia to share research, development, and application experiences using SELinux. For information on registration and sponsorship opportunities, see www.selinux-symposium.org. From stefano at proinco.net Mon Dec 11 17:00:14 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 11 Dec 2006 09:00:14 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 11 Message-ID: <20061211170014.19138.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From stefano at proinco.net Tue Dec 12 17:00:18 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 12 Dec 2006 09:00:18 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 12 Message-ID: <20061212170018.10643.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From dwalsh at redhat.com Tue Dec 12 21:45:58 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 12 Dec 2006 16:45:58 -0500 Subject: permission denied errors upgrading kernel In-Reply-To: <20061208153509.GA15942@jadzia.bu.edu> References: <20061208144749.GA12631@jadzia.bu.edu> <20061208153509.GA15942@jadzia.bu.edu> Message-ID: <457F2316.2060305@redhat.com> Matthew Miller wrote: > On Fri, Dec 08, 2006 at 09:47:49AM -0500, Matthew Miller wrote: > >> cp: cannot set setfscreatecon `system_u:object_r:sbin_t:s0': Permission denied >> cp: cannot set setfscreatecon `system_u:object_r:insmod_exec_t:s0': Permission denied >> cp: cannot set setfscreatecon `system_u:object_r:lvm_exec_t:s0': Permission denied >> > [...] > >> I haven't rebooted yet, but presumably it isn't gonna be happy. >> > > Yep, can't exec init. Thank you, SE Linux! That's about as secure as a > computer can get. > > > chcon -t sbin_t /sbin/mkinitrd Reinstall the kernel and everything should be ok. From mattdm at mattdm.org Tue Dec 12 21:54:44 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Tue, 12 Dec 2006 16:54:44 -0500 Subject: permission denied errors upgrading kernel In-Reply-To: <457F2316.2060305@redhat.com> References: <20061208144749.GA12631@jadzia.bu.edu> <20061208153509.GA15942@jadzia.bu.edu> <457F2316.2060305@redhat.com> Message-ID: <20061212215444.GB14797@jadzia.bu.edu> On Tue, Dec 12, 2006 at 04:45:58PM -0500, Daniel J Walsh wrote: > chcon -t sbin_t /sbin/mkinitrd > Reinstall the kernel and everything should be ok. Thank you. Any idea how this happened? I mean, it was rawhide and all, but.... -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From mharris at mharris.ca Wed Dec 13 12:33:24 2006 From: mharris at mharris.ca (Mike A. Harris) Date: Wed, 13 Dec 2006 07:33:24 -0500 Subject: sendmail attempting to read to /dev/hda Message-ID: <457FF314.8050902@mharris.ca> Using FC6, I get the following SELinux warnings in /var/log/messages every time I reboot: Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a My sendmail configuration is unmodified from Fedora Core 6 default installation, and while sendmail is set to start at bootup, I am not currently using sendmail for anything on this system. Nonetheless the error is a bit alarming, and I didn't find anything similar in a google search. My system is fully updated to the current updates as of just prior to my reboot, which was about 15 minutes ago. [root at shuttle ~]# rpm -qf /usr/sbin/sendmail.sendmail sendmail-8.13.8-2 [root at shuttle ~]# ls -al /usr/sbin/sendmail.sendmail -rwxr-sr-x 1 root smmsp 806460 Sep 5 09:27 /usr/sbin/sendmail.sendmail [root at shuttle ~]# sealert -l 334bcb59-54ff-414f-bd52-f32c4990df4a Summary SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/hda, restorecon -v /dev/hda If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information: Source Context: system_u:system_r:system_mail_t Target Context: system_u:object_r:fixed_disk_device_t Target Objects: /dev/hda [ blk_file ] Affected RPM Packages: sendmail-8.13.8-2 [application] Policy RPM: selinux-policy-2.4.6-1.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: shuttle Platform: Linux shuttle 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 2006 i686 i686 Alert Count: 2 Line Numbers: Raw Audit Messages: avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name="hda" path="/dev/hda" pid=2509 scontext=system_u:system_r:system_mail_t:s0 sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0 From tmraz at redhat.com Wed Dec 13 13:02:19 2006 From: tmraz at redhat.com (Tomas Mraz) Date: Wed, 13 Dec 2006 14:02:19 +0100 Subject: sendmail attempting to read to /dev/hda In-Reply-To: <457FF314.8050902@mharris.ca> References: <457FF314.8050902@mharris.ca> Message-ID: <1166014939.3084.3.camel@perun.kabelta.loc> On Wed, 2006-12-13 at 07:33 -0500, Mike A. Harris wrote: > Using FC6, I get the following SELinux warnings in /var/log/messages > every time I reboot: > > Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing > /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda > (fixed_disk_device_t). For complete SELinux messages. run sealert > -l 334bcb59-54ff-414f-bd52-f32c49 > 90df4a > Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing > /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda > (fixed_disk_device_t). For complete SELinux messages. run sealert > -l 334bcb59-54ff-414f-bd52-f32c49 > 90df4a Known problem of smartd leaking file descriptor when calls sendmail. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From stefano at proinco.net Wed Dec 13 17:00:23 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 13 Dec 2006 09:00:23 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 13 Message-ID: <20061213170023.19225.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From dwalsh at redhat.com Wed Dec 13 21:18:52 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 13 Dec 2006 16:18:52 -0500 Subject: permission denied errors upgrading kernel In-Reply-To: <20061212215444.GB14797@jadzia.bu.edu> References: <20061208144749.GA12631@jadzia.bu.edu> <20061208153509.GA15942@jadzia.bu.edu> <457F2316.2060305@redhat.com> <20061212215444.GB14797@jadzia.bu.edu> Message-ID: <45806E3C.8030408@redhat.com> Matthew Miller wrote: > On Tue, Dec 12, 2006 at 04:45:58PM -0500, Daniel J Walsh wrote: > >> chcon -t sbin_t /sbin/mkinitrd >> Reinstall the kernel and everything should be ok. >> > > Thank you. Any idea how this happened? I mean, it was rawhide and all, > but.... > > I believe a new version of mkinitrd just came out. From mattdm at mattdm.org Wed Dec 13 21:20:14 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Wed, 13 Dec 2006 16:20:14 -0500 Subject: permission denied errors upgrading kernel In-Reply-To: <45806E3C.8030408@redhat.com> References: <20061208144749.GA12631@jadzia.bu.edu> <20061208153509.GA15942@jadzia.bu.edu> <457F2316.2060305@redhat.com> <20061212215444.GB14797@jadzia.bu.edu> <45806E3C.8030408@redhat.com> Message-ID: <20061213212014.GA5099@jadzia.bu.edu> On Wed, Dec 13, 2006 at 04:18:52PM -0500, Daniel J Walsh wrote: > >>chcon -t sbin_t /sbin/mkinitrd > >>Reinstall the kernel and everything should be ok. > >Thank you. Any idea how this happened? I mean, it was rawhide and all, > >but.... > I believe a new version of mkinitrd just came out. And it had new, unexpected needs? -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From dwalsh at redhat.com Wed Dec 13 21:37:00 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 13 Dec 2006 16:37:00 -0500 Subject: permission denied errors upgrading kernel In-Reply-To: <20061213212014.GA5099@jadzia.bu.edu> References: <20061208144749.GA12631@jadzia.bu.edu> <20061208153509.GA15942@jadzia.bu.edu> <457F2316.2060305@redhat.com> <20061212215444.GB14797@jadzia.bu.edu> <45806E3C.8030408@redhat.com> <20061213212014.GA5099@jadzia.bu.edu> Message-ID: <4580727C.1060402@redhat.com> Matthew Miller wrote: > On Wed, Dec 13, 2006 at 04:18:52PM -0500, Daniel J Walsh wrote: > >>>> chcon -t sbin_t /sbin/mkinitrd >>>> Reinstall the kernel and everything should be ok. >>>> >>> Thank you. Any idea how this happened? I mean, it was rawhide and all, >>> but.... >>> >> I believe a new version of mkinitrd just came out. >> > > And it had new, unexpected needs? > > Actually we decided that their was not good reason to confine mkinitrd and it has two broad of powers to be any different then the domain that runs it. From mattdm at mattdm.org Wed Dec 13 21:44:11 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Wed, 13 Dec 2006 16:44:11 -0500 Subject: permission denied errors upgrading kernel In-Reply-To: <4580727C.1060402@redhat.com> References: <20061208144749.GA12631@jadzia.bu.edu> <20061208153509.GA15942@jadzia.bu.edu> <457F2316.2060305@redhat.com> <20061212215444.GB14797@jadzia.bu.edu> <45806E3C.8030408@redhat.com> <20061213212014.GA5099@jadzia.bu.edu> <4580727C.1060402@redhat.com> Message-ID: <20061213214411.GB6325@jadzia.bu.edu> On Wed, Dec 13, 2006 at 04:37:00PM -0500, Daniel J Walsh wrote: > >>I believe a new version of mkinitrd just came out. > >And it had new, unexpected needs? > Actually we decided that their was not good reason to confine mkinitrd > and it has two broad of powers to be any different then the domain that > runs it. So I just got unlucky in that I updated mkinitrd with the policy still constrained? -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From stefano at proinco.net Thu Dec 14 17:00:24 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 14 Dec 2006 09:00:24 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 14 Message-ID: <20061214170024.5309.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From stefano at proinco.net Fri Dec 15 17:00:13 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 15 Dec 2006 09:00:13 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 15 Message-ID: <20061215170013.26052.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From stefano at proinco.net Sat Dec 16 17:00:21 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 16 Dec 2006 09:00:21 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 16 Message-ID: <20061216170021.22920.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From stefano at proinco.net Sun Dec 17 17:00:17 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 17 Dec 2006 09:00:17 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 17 Message-ID: <20061217170017.23616.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From peter.pun at gmail.com Sun Dec 17 23:46:17 2006 From: peter.pun at gmail.com (Peter Pun) Date: Sun, 17 Dec 2006 15:46:17 -0800 Subject: xwindows Message-ID: <3e2c91580612171546j6216c218ye09dbfd74f62e0f6@mail.gmail.com> Hi, Where can I find more infomation regarding the development of SELinux to protect XWindows? I remember reading somewhere that people are working to have it protect the desktop someday. But I couldnt find that info again. Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhally at mindspring.com Mon Dec 18 00:14:17 2006 From: rhally at mindspring.com (Richard Hally) Date: Sun, 17 Dec 2006 19:14:17 -0500 Subject: xwindows In-Reply-To: <3e2c91580612171546j6216c218ye09dbfd74f62e0f6@mail.gmail.com> References: <3e2c91580612171546j6216c218ye09dbfd74f62e0f6@mail.gmail.com> Message-ID: <4585DD59.6070300@mindspring.com> Peter Pun wrote: > Hi, > Where can I find more infomation regarding the development of SELinux to > protect XWindows? I remember reading somewhere that people are working > to have it protect the desktop someday. But I couldnt find that info again. > > Peter > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.432 / Virus Database: 268.15.22/590 - Release Date: 12/16/2006 5:39 PM SEE: > http://www.nsa.gov/selinux/list-archive/0405/thread_body38.cfm From afco23 at yahoo.com.br Mon Dec 18 03:54:37 2006 From: afco23 at yahoo.com.br (Fabricio Oliveira) Date: Mon, 18 Dec 2006 00:54:37 -0300 (ART) Subject: unsubscribe In-Reply-To: <20061217170009.22FFD73168@hormel.redhat.com> Message-ID: <510611.52843.qm@web60416.mail.yahoo.com> fedora-selinux-list-request at redhat.com escreveu: Send fedora-selinux-list mailing list submissions to fedora-selinux-list at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-selinux-list or, via email, send a message with subject or body 'help' to fedora-selinux-list-request at redhat.com You can reach the person managing the list at fedora-selinux-list-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-selinux-list digest..." Today's Topics: 1. Re: fedora-selinux-list Digest, Vol 34, Issue 16 (stefano at proinco.net) ---------------------------------------------------------------------- Message: 1 Date: 16 Dec 2006 09:00:21 -0800 From: stefano at proinco.net Subject: Re: fedora-selinux-list Digest, Vol 34, Issue 16 To: fedora-selinux-list at redhat.com Message-ID: <20061216170021.22920.qmail at su912267.aspadmin.net> Content-Type: text/plain; charset="UTF-8" esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 34, Issue 17 *************************************************** __________________________________________________ Fale com seus amigos de gra?a com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From kimiazhu at gmail.com Mon Dec 18 07:31:28 2006 From: kimiazhu at gmail.com (Kimia) Date: Mon, 18 Dec 2006 15:31:28 +0800 Subject: Disabling IRQ #2 Message-ID: <4a21ab710612172331h4e1c64b1pe5b26305f1f2a0c0@mail.gmail.com> when i update my fedora core 6 with some software(not the kernel, i update my kernel once to the 2.6.18-1.2849,and now it is this version),then this occured. from then on, everytimes i installed software or update my system, the console will be distorted,and i restart the computer, open the console , then the console aoto print the message: Message from syslogd at localhost at Mon Dec 18 13:26:31 2006 ... localhost kernel: Disabling IRQ #2 i force to stop ACPI in Services Setting menu. i want to fix the problem without stop ACPI, what should i do? any opinion will be appreciated. thanx! -- Kimia -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin.meyer at hp.com Mon Dec 18 14:01:29 2006 From: martin.meyer at hp.com (Martin Meyer) Date: Mon, 18 Dec 2006 09:01:29 -0500 Subject: xwindows In-Reply-To: <4585DD59.6070300@mindspring.com> References: <3e2c91580612171546j6216c218ye09dbfd74f62e0f6@mail.gmail.com> <4585DD59.6070300@mindspring.com> Message-ID: <45869F39.4040806@hp.com> I've found a post on the Xorg mailing list (http://lists.freedesktop.org/archives/xorg/2006-October/018603.html) that indicates that XACE has been merged into the server-1.2 branch and will be released as a part of X.org's 7.2 release (X11R7.2). from http://people.freedesktop.org/~ewalsh/xace_proposal.html: The XACE (X Access Control Extension) is a set of generic "hooks" that can be used by other X extensions to perform access checks. The goal of XACE is to prevent clutter in the core dix/os code by providing a common mechanism for doing these sorts of checks. The concept is identical to the Linux Security Module (LSM) in the Linux Kernel. I remember seeing something before about an SELinux module for XACE but I can't find the message right now. After XACE and the accompanying SELinux module are in place, there will still be a need for a window manager capable of displaying relevant context info. There is a bug open for Metacity (http://bugzilla.gnome.org/show_bug.cgi?id=356753) for adding SELinux support but it hasn't really gone anywhere yet. I was thinking that Compiz or Beryl could add some interesting functionality for SELinux-enabled systems such as dimming or coloring windows based on sensitivity levels or domains. Martin Meyer Richard Hally wrote: > Peter Pun wrote: >> Hi, >> Where can I find more infomation regarding the development of SELinux >> to protect XWindows? I remember reading somewhere that people are >> working to have it protect the desktop someday. But I couldnt find >> that info again. >> >> Peter >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> ------------------------------------------------------------------------ >> >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.432 / Virus Database: 268.15.22/590 - Release Date: >> 12/16/2006 5:39 PM > > SEE: >> http://www.nsa.gov/selinux/list-archive/0405/thread_body38.cfm > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From stefano at proinco.net Mon Dec 18 17:00:18 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 18 Dec 2006 09:00:18 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 18 Message-ID: <20061218170018.16102.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From dwalsh at redhat.com Mon Dec 18 21:39:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 Dec 2006 16:39:19 -0500 Subject: Disabling IRQ #2 In-Reply-To: <4a21ab710612172331h4e1c64b1pe5b26305f1f2a0c0@mail.gmail.com> References: <4a21ab710612172331h4e1c64b1pe5b26305f1f2a0c0@mail.gmail.com> Message-ID: <45870A87.2020106@redhat.com> Kimia wrote: > when i update my fedora core 6 with some software(not the kernel, i > update my kernel once to the 2.6.18-1.2849,and now it is this > version),then this occured. from then on, everytimes i installed > software or update my system, the console will be distorted,and i > restart the computer, open the console , then the console aoto print > the message: > > Message from syslogd at localhost at Mon Dec 18 13:26:31 2006 ... > localhost kernel: Disabling IRQ #2 > > i force to stop ACPI in Services Setting menu. > i want to fix the problem without stop ACPI, what should i do? > any opinion will be appreciated. > thanx! > Are you seeing avc messages in /var/log/audit/audit.log or /var/log/messages? > -- > Kimia > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From baskarkpm at yahoo.co.in Mon Dec 18 23:20:43 2006 From: baskarkpm at yahoo.co.in (baskar baskar) Date: Mon, 18 Dec 2006 23:20:43 +0000 (GMT) Subject: Reg error in policy module Message-ID: <20061218232044.86703.qmail@web7905.mail.in.yahoo.com> Hi, I have written this module and saved as twiki.te policy_module(twiki, 1.0) require { type httpd_sys_script_exec_t; type sbin_t; type tmp_t; type ls_exec_t; type httpd_tmp_t; type httpd_sys_script_t; } allow httpd_sys_script_t httpd_sys_script_exec_t:dir read; allow httpd_sys_script_t ls_exec_t:file getattr; allow httpd_sys_script_t sbin_t:file getattr; allow httpd_sys_script_t tmp_t:lnk_file read; allow httpd_sys_script_t httpd_tmp_t:file { r_file_perms unlink write }; when i try to run semodule -i twiki.pp i am getting libsepol.permission_copy_callback: Module twiki depends on permission setkeycreate in class process, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! this error. please anyone help me i am configuring twiki now without this i cant move to next step please send me solutions thanks in advance Regards Baskar.N Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php -------------- next part -------------- An HTML attachment was scrubbed... URL: From kimiazhu at gmail.com Tue Dec 19 08:06:31 2006 From: kimiazhu at gmail.com (Kimia) Date: Tue, 19 Dec 2006 16:06:31 +0800 Subject: update fc erroe Message-ID: <4a21ab710612190006r10398f9eg465ea4088f1e747c@mail.gmail.com> when i update my fedora this occured.here are several lines of the gnome-terminal shows: error: db4 error(-30977) from dbcursor->c_get: DB_RUNRECOVERY: Fatal error, run database recovery error: error(-30977) getting "c_get: DB_RUNRECOVERY: Fatal error, run database recovery error: error(-30977) getting " ?k???????;/?y" records from Filemd5s index rpmdb: PANIC: fatal region error detected; run recovery error: db4 error(-30977) from dbcursor->c_get: DB_RUNRECOVERY: Fatal error, run database recovery error: error(-30977) getting "?u?????0 ????" records from Filemd5s index rpmdb: PANIC: fatal region error detected; run recovery error: db4 error(-30977) from dbcursor->c_get: DB_RUNRECOVERY: Fatal error, run database recovery error: error(-30977) getting "?U???????? ??" records from Filemd5s index -- Kimia -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Tue Dec 19 08:18:57 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 19 Dec 2006 08:18:57 +0000 Subject: update fc erroe In-Reply-To: <4a21ab710612190006r10398f9eg465ea4088f1e747c@mail.gmail.com> References: <4a21ab710612190006r10398f9eg465ea4088f1e747c@mail.gmail.com> Message-ID: <1166516337.28834.1.camel@metropolis.intra.city-fan.org> On Tue, 2006-12-19 at 16:06 +0800, Kimia wrote: > when i update my fedora this occured.here are several lines of the > gnome-terminal shows: > > error: db4 error(-30977) from dbcursor->c_get: DB_RUNRECOVERY: Fatal > error, run database recovery > error: error(-30977) getting " index > rpmdb: PANIC: fatal region error detected; run recovery > error: db4 error(-30977) from dbcursor->c_get: DB_RUNRECOVERY: Fatal > error, run database recovery > error: error(-30977) getting " > ?k???????;/?y" records from Filemd5s > index > rpmdb: PANIC: fatal region error detected; run recovery > error: db4 error(-30977) from dbcursor->c_get: DB_RUNRECOVERY: Fatal > error, run database recovery > error: error(-30977) getting "?u?????0 ????" records from Filemd5s > index > rpmdb: PANIC: fatal region error detected; run recovery > error: db4 error(-30977) from dbcursor->c_get: DB_RUNRECOVERY: Fatal > error, run database recovery > error: error(-30977) getting "?U???????? > ??" records from > Filemd5s index Not an selinux problem. Try this: # rm /var/lib/rpm/__db.* and then try again. Paul. From stefano at proinco.net Tue Dec 19 17:00:19 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 19 Dec 2006 09:00:19 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 19 Message-ID: <20061219170019.13026.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From kmacmill at redhat.com Tue Dec 19 22:07:01 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Tue, 19 Dec 2006 17:07:01 -0500 Subject: Reg error in policy module In-Reply-To: <20061218232044.86703.qmail@web7905.mail.in.yahoo.com> References: <20061218232044.86703.qmail@web7905.mail.in.yahoo.com> Message-ID: <45886285.8080402@redhat.com> baskar baskar wrote: > Hi, > I have written this module and saved as twiki.te > > policy_module(twiki, 1.0) > require { > type httpd_sys_script_exec_t; > type sbin_t; > type tmp_t; > type ls_exec_t; > type httpd_tmp_t; > type httpd_sys_script_t; > } > allow httpd_sys_script_t httpd_sys_script_exec_t:dir read; > allow httpd_sys_script_t ls_exec_t:file getattr; > allow httpd_sys_script_t sbin_t:file getattr; > allow httpd_sys_script_t tmp_t:lnk_file read; > allow httpd_sys_script_t httpd_tmp_t:file { r_file_perms unlink write }; > > when i try to run > semodule -i twiki.pp > > i am getting > libsepol.permission_copy_callback: Module twiki depends on permission setkeycreate in class process, not satisfied > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > this error. > please anyone help me > i am configuring twiki now > without this i cant move to next step > please send me solutions Your policy headers (from selinux-policy-devel) don't match the installed policies. Are you compiling this on a different Fedora version from where you ware installing the policy? Karl From stefano at proinco.net Wed Dec 20 17:00:25 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 20 Dec 2006 09:00:25 -0800 Subject: fedora-selinux-list Digest, Vol 34, Issue 20 Message-ID: <20061220170025.21170.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From kmacmill at redhat.com Wed Dec 20 17:11:40 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Wed, 20 Dec 2006 12:11:40 -0500 Subject: [ANN] Madison policy generation tools Message-ID: <45896ECC.6010605@redhat.com> The first public release of the Madison SELinux policy generation tools can be found at http://et.redhat.com/madison/. Madison is a new project to create command line and GUI policy generation tools that: * Create more readable and secure policy by leveraging the reference policy development environment. * Provide administrators with guidance and information to help them make good security decisions. This release focuses on the creation of a foundation library (in python). It only includes a single tool - audit2policy - that is a drop in replacement for audit2allow with better reference policy interface call generation (using the undocumented -R audit2allow flag). Contributions are very welcome. I'm looking for help with: * Testing (particularly interface call generation and module generation) * Documenation * Unit test creation * Code / tool development See the website for more details on contributing. To the authors of other policy generation tools: I would like to avoid duplication of effort where possible. The current release focuses on areas that other tools have not explored thoroughly. Moving forward I would to discuss how we can best work together. Please send any feedback to the selinux development list. Thanks - Karl From mharris at mharris.ca Wed Dec 20 17:26:50 2006 From: mharris at mharris.ca (Mike A. Harris) Date: Wed, 20 Dec 2006 12:26:50 -0500 Subject: sendmail attempting to read to /dev/hda In-Reply-To: <1166014939.3084.3.camel@perun.kabelta.loc> References: <457FF314.8050902@mharris.ca> <1166014939.3084.3.camel@perun.kabelta.loc> Message-ID: <4589725A.6070306@mharris.ca> Tomas Mraz wrote: > On Wed, 2006-12-13 at 07:33 -0500, Mike A. Harris wrote: >> Using FC6, I get the following SELinux warnings in /var/log/messages >> every time I reboot: >> >> Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing >> /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda >> (fixed_disk_device_t). For complete SELinux messages. run sealert >> -l 334bcb59-54ff-414f-bd52-f32c49 >> 90df4a >> Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing >> /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda >> (fixed_disk_device_t). For complete SELinux messages. run sealert >> -l 334bcb59-54ff-414f-bd52-f32c49 >> 90df4a > > Known problem of smartd leaking file descriptor when calls sendmail. Wow, thanks. ;) I'd have never suspected something like that in a billion years. ;) From borzoi at caltanet.it Wed Dec 20 19:03:33 2006 From: borzoi at caltanet.it (Paolo D.) Date: Wed, 20 Dec 2006 20:03:33 +0100 Subject: Speakers for 3rd SELinux Symposium In-Reply-To: <20061211170009.F341673564@hormel.redhat.com> References: <20061211170009.F341673564@hormel.redhat.com> Message-ID: <004501c72469$8cb55ad0$a6201070$@it> Good evening Dr. Mayer, I don't know in other countries, but in Italy people has been informed ;) http://www.programmazione.it/index.php?entity=eitem&idItem=35011 A Merry Secure Christmas and an Happy Allowed New Year to everyone! Paolo ------------------------------ Message: 2 Date: Mon, 11 Dec 2006 09:05:41 -0500 From: "Frank L. Mayer" Subject: Speakers for 3rd SELinux Symposium (Registration opens) To: , Message-ID: <3F5870E81362A647A4DA1D0DF8F10268772053 at exchange.columbia.tresys.com> Content-Type: text/plain; charset="iso-8859-1" All, we have announced the speakers for the 3rd SELinux Symposium, which will be held in Baltimore, Maryland on 12-16 March 2007. You can see the agenda, paper and tutorial abstracts, and registration information at the web site: www.selinux-symposium.org. Below is the text from the press release. Hope you can join us again at this conference. Thanks to all the authors who submitted papers. You can still participate by submitting case study and works-in-progress proposals (see web site). Frank =============================================================== Speakers Confirmed for the Third Annual Security Enhanced Linux Symposium and Developer Summit Event Slated for March 12-16, 2007 in Baltimore, Maryland, USA Baltimore, Maryland-December 11, 2006 - The Security Enhanced Linux (SELinux) Symposium announces papers and speakers for its third annual symposium. Experts from business, government, and academia will share and discuss the latest SELinux application experience, research and development results, and product plans. The event explores the popular SELinux technology and the power of flexible mandatory access control in Linux. Registration for the SELinux Symposium, scheduled for March 12-16, 2007 in Baltimore, Maryland, is now open at www.selinux-symposium.org. The Third SELinux Symposium features two full days of SELinux-related tutorials followed by a two-day technical agenda that includes papers, presentations, and case studies by experts and practitioners with SELinux. Topics for the symposium include changes and extensions to the core SELinux technology, advances in SELinux policy management and development, and the use of SELinux to build secure system solutions. The symposium also includes an invitation-only SELinux developer summit, where the core developers and contributors of SELinux discuss upcoming technology changes, requirements, and plans. Papers for the symposium were selected via a community review process and include authors from several organizations, including atsec, Hewlett-Packard, IBM, Pennsylvania State University, Red Hat, SPARTA, Tresys Technology, University of Maryland-Baltimore County, U.S. Joint Forces Command, and the U.S. National Security Agency. The full agenda for the symposium is available at www.selinux-symposium.org. About the SELinux Symposium The Security Enhanced Linux (SELinux) Symposium is an annual exchange of ideas, technology, and research involving SELinux. SELinux is emerging technology that adds flexible, strong mandatory access control security to Linux. The third annual symposium is scheduled for March 12-16, 2007 in Baltimore, Maryland, USA. This year's symposium is sponsored by Hewlett-Packard, IBM, Red Hat, and Tresys Technology. The event brings together experts from business, government, and academia to share research, development, and application experiences using SELinux. For information on registration and sponsorship opportunities, see www.selinux-symposium.org. ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 34, Issue 11 *************************************************** __________ Informazione NOD32 1880 (20061123) __________ Questo messaggio h stato controllato dal Sistema Antivirus NOD32 http://www.nod32.it From kimiazhu at gmail.com Fri Dec 22 05:17:50 2006 From: kimiazhu at gmail.com (Kimia) Date: Fri, 22 Dec 2006 13:17:50 +0800 Subject: help! my wine has some errors! Message-ID: <4a21ab710612212117uc210430m54a9a18774f1de80@mail.gmail.com> i install wine with yum, my system is fc6. when i start winecfg and all other program such as notepad i recived the error: *Failed to open the service control manager. *now,i did nothing,but it can ran,and then the program died. i must click the force quit button to kill it. please,what shoud do to run wine? thanks all ideas! -- Kimia -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Fri Dec 22 15:06:09 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 22 Dec 2006 10:06:09 -0500 Subject: help! my wine has some errors! In-Reply-To: <4a21ab710612212117uc210430m54a9a18774f1de80@mail.gmail.com> References: <4a21ab710612212117uc210430m54a9a18774f1de80@mail.gmail.com> Message-ID: <458BF461.2020007@redhat.com> Kimia wrote: > > i install wine with yum, my system is fc6. > when i start winecfg and all other program such as notepad i recived > the error: > **Failed to open the service control manager. > > **now,i did nothing,but it can ran,and then the program died. > i must click the force quit button to kill it. > > please,what shoud do to run wine? > thanks all ideas! > > > Please look for avc messages in /var/log/audit/audit.log or /var/log/messages. Most likely you have a library mislabled. chcon -t textrel_shlib_t LIBRARY would fix. > -- > Kimia > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Fri Dec 22 17:32:12 2006 From: selinux at gmail.com (Tom London) Date: Fri, 22 Dec 2006 09:32:12 -0800 Subject: execstack AVCs in Rawhide...? Message-ID: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> Running latest Rawhide, targeted/enforcing. I seem to be getting execstack AVCs from setroubleshootd, sealert, gaim, mixer_applet2, and firefox-bin. Firefox has flash and Sun java plugins; guessing that may be part of the issue. tom type=DAEMON_START msg=audit(1166807740.587:4053) auditd start, ver=1.3.1, format=raw, auid=4294967295 pid=2084 res=success, auditd pid=2084 type=CONFIG_CHANGE msg=audit(1166807740.687:5): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 type=CONFIG_CHANGE msg=audit(1166807740.893:6): audit_backlog_limit=256 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 type=AVC msg=audit(1166807745.923:7): avc: denied { execstack } for pid=2187 comm="setroubleshootd" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=process type=SYSCALL msg=audit(1166807745.923:7): arch=40000003 syscall=125 success=no exit=-13 a0=bfce1000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2187 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=LABEL_LEVEL_CHANGE msg=audit(1166807750.278:8): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1166807750.429:9): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_LaserJet_1300 uri=hal:///org/freedesktop/Hal/devices/usb_device_3f0_1017_00CNCB954325_if0_printer_noserial banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1166807750.494:10): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Innopath uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1166807750.496:11): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Local uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=USER_ERR msg=audit(1166807765.078:12): user pid=2960 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)' type=USER_AUTH msg=audit(1166807777.433:13): user pid=3037 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1166807777.435:14): user pid=3037 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1166807777.436:15): user pid=3037 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1166807777.440:16): login pid=3037 uid=0 old auid=4294967295 new auid=500 type=USER_START msg=audit(1166807777.583:17): user pid=3037 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_LOGIN msg=audit(1166807777.585:18): user pid=3037 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=:0 res=success)' type=AVC msg=audit(1166807804.117:19): avc: denied { execstack } for pid=3229 comm="sealert" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807804.117:19): arch=40000003 syscall=125 success=no exit=-13 a0=bf882000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3229 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert" exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807804.624:20): avc: denied { execstack } for pid=3240 comm="sealert" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807804.624:20): arch=40000003 syscall=125 success=no exit=-13 a0=bff2f000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3239 pid=3240 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert" exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807809.849:21): avc: denied { execstack } for pid=3283 comm="gaim" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807809.849:21): arch=40000003 syscall=125 success=no exit=-13 a0=bffd9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3193 pid=3283 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gaim" exe="/usr/bin/gaim" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807821.317:22): avc: denied { execstack } for pid=3419 comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807821.317:22): arch=40000003 syscall=125 success=no exit=-13 a0=bfa39000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3408 pid=3419 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2" exe="/usr/libexec/mixer_applet2" subj=user_u:system_r:unconfined_t:s0 key=(null) type=USER_AUTH msg=audit(1166807845.960:23): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_ACCT msg=audit(1166807845.961:24): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_START msg=audit(1166807847.381:25): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_ACQ msg=audit(1166807847.382:26): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=AVC msg=audit(1166807900.148:27): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.148:27): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807900.158:28): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.158:28): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807900.162:29): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.162:29): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807900.163:30): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.163:30): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) -- Tom London From dwalsh at redhat.com Fri Dec 22 18:53:41 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 22 Dec 2006 13:53:41 -0500 Subject: execstack AVCs in Rawhide...? In-Reply-To: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> Message-ID: <458C29B5.6000306@redhat.com> Tom London wrote: We are guessing there is some screwed up library on your machine that is causing this. Could you attempt to strace one of these apps to see which library is causing the problem. Thanks, Dan > Running latest Rawhide, targeted/enforcing. > > I seem to be getting execstack AVCs from setroubleshootd, sealert, > gaim, mixer_applet2, and firefox-bin. > > Firefox has flash and Sun java plugins; guessing that may be part of > the issue. > > tom > > type=DAEMON_START msg=audit(1166807740.587:4053) auditd start, > ver=1.3.1, format=raw, auid=4294967295 pid=2084 res=success, auditd > pid=2084 > type=CONFIG_CHANGE msg=audit(1166807740.687:5): audit_enabled=1 old=0 > by auid=4294967295 subj=system_u:system_r:auditd_t:s0 > type=CONFIG_CHANGE msg=audit(1166807740.893:6): > audit_backlog_limit=256 old=64 by auid=4294967295 > subj=system_u:system_r:auditctl_t:s0 > type=AVC msg=audit(1166807745.923:7): avc: denied { execstack } for > pid=2187 comm="setroubleshootd" > scontext=system_u:system_r:setroubleshootd_t:s0 > tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=process > type=SYSCALL msg=audit(1166807745.923:7): arch=40000003 syscall=125 > success=no exit=-13 a0=bfce1000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=2187 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" > exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 > key=(null) > type=LABEL_LEVEL_CHANGE msg=audit(1166807750.278:8): user pid=2517 > uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 > banners=none,none range=unknown: exe="/usr/sbin/cupsd" > (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? > res=success)' > type=LABEL_LEVEL_CHANGE msg=audit(1166807750.429:9): user pid=2517 > uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > msg='printer=hp_LaserJet_1300 > uri=hal:///org/freedesktop/Hal/devices/usb_device_3f0_1017_00CNCB954325_if0_printer_noserial > > banners=none,none range=unknown: exe="/usr/sbin/cupsd" > (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? > res=success)' > type=LABEL_LEVEL_CHANGE msg=audit(1166807750.494:10): user pid=2517 > uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > msg='printer=Innopath uri=file:/dev/null banners=none,none > range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, > addr=127.0.0.1, terminal=? res=success)' > type=LABEL_LEVEL_CHANGE msg=audit(1166807750.496:11): user pid=2517 > uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > msg='printer=Local uri=file:/dev/null banners=none,none range=unknown: > exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, > terminal=? res=success)' > type=USER_ERR msg=audit(1166807765.078:12): user pid=2960 uid=0 > auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, > terminal=? res=failed)' > type=USER_AUTH msg=audit(1166807777.433:13): user pid=3037 uid=0 > auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > authentication acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=success)' > type=USER_ACCT msg=audit(1166807777.435:14): user pid=3037 uid=0 > auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > accounting acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, > terminal=:0 res=success)' > type=CRED_ACQ msg=audit(1166807777.436:15): user pid=3037 uid=0 > auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > setcred acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, > terminal=:0 res=success)' > type=LOGIN msg=audit(1166807777.440:16): login pid=3037 uid=0 old > auid=4294967295 new auid=500 > type=USER_START msg=audit(1166807777.583:17): user pid=3037 uid=0 > auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session > open acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, > terminal=:0 res=success)' > type=USER_LOGIN msg=audit(1166807777.585:18): user pid=3037 uid=0 > auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: > exe="/usr/sbin/gdm-binary" (hostname=localhost.localdomain, > addr=127.0.0.1, terminal=:0 res=success)' > type=AVC msg=audit(1166807804.117:19): avc: denied { execstack } for > pid=3229 comm="sealert" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807804.117:19): arch=40000003 syscall=125 > success=no exit=-13 a0=bf882000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3229 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert" > exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1166807804.624:20): avc: denied { execstack } for > pid=3240 comm="sealert" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807804.624:20): arch=40000003 syscall=125 > success=no exit=-13 a0=bff2f000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=3239 pid=3240 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert" > exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1166807809.849:21): avc: denied { execstack } for > pid=3283 comm="gaim" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807809.849:21): arch=40000003 syscall=125 > success=no exit=-13 a0=bffd9000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=3193 pid=3283 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gaim" > exe="/usr/bin/gaim" subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1166807821.317:22): avc: denied { execstack } for > pid=3419 comm="mixer_applet2" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807821.317:22): arch=40000003 syscall=125 > success=no exit=-13 a0=bfa39000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=3408 pid=3419 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2" > exe="/usr/libexec/mixer_applet2" subj=user_u:system_r:unconfined_t:s0 > key=(null) > type=USER_AUTH msg=audit(1166807845.960:23): user pid=3460 uid=500 > auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication > acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 > res=success)' > type=USER_ACCT msg=audit(1166807845.961:24): user pid=3460 uid=500 > auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting > acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 > res=success)' > type=USER_START msg=audit(1166807847.381:25): user pid=3460 uid=500 > auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open > acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 > res=success)' > type=CRED_ACQ msg=audit(1166807847.382:26): user pid=3460 uid=500 > auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred > acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 > res=success)' > type=AVC msg=audit(1166807900.148:27): avc: denied { execstack } for > pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807900.148:27): arch=40000003 syscall=125 > success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-2.0/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1166807900.158:28): avc: denied { execstack } for > pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807900.158:28): arch=40000003 syscall=125 > success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-2.0/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1166807900.162:29): avc: denied { execstack } for > pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807900.162:29): arch=40000003 syscall=125 > success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-2.0/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1166807900.163:30): avc: denied { execstack } for > pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1166807900.163:30): arch=40000003 syscall=125 > success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-2.0/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > From selinux at gmail.com Fri Dec 22 20:35:12 2006 From: selinux at gmail.com (Tom London) Date: Fri, 22 Dec 2006 12:35:12 -0800 Subject: execstack AVCs in Rawhide...? In-Reply-To: <458C29B5.6000306@redhat.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> <458C29B5.6000306@redhat.com> Message-ID: <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> On 12/22/06, Daniel J Walsh wrote: > Tom London wrote: > We are guessing there is some screwed up library on your machine that is > causing this. Could you attempt to strace one of these apps to see > which library is causing the problem. > > Thanks, > > Dan Damn..... Thanks for the hint.... Moving /home/tbl/.gstreamer-0.10/plugins/libgstflump3dec.so out of the way cleared this up for gaim. I'm guessing firefox issues are related to flash/java. Any ideas on what is causing setroubleshootd/sealeart issues? tom -- Tom London From drepper at redhat.com Fri Dec 22 22:12:06 2006 From: drepper at redhat.com (Ulrich Drepper) Date: Fri, 22 Dec 2006 14:12:06 -0800 Subject: execstack AVCs in Rawhide...? In-Reply-To: <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> <458C29B5.6000306@redhat.com> <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> Message-ID: <458C5836.9090603@redhat.com> Tom London wrote: > Any ideas on what is causing setroubleshootd/sealeart issues? It's a problem in Python. /usr/lib64/python2.5/lib-dynload/_ctypes.so This DSO is compiled incorrectly, it is marked to use an executable stack. -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? From drepper at redhat.com Fri Dec 22 22:50:18 2006 From: drepper at redhat.com (Ulrich Drepper) Date: Fri, 22 Dec 2006 14:50:18 -0800 Subject: execstack AVCs in Rawhide...? In-Reply-To: <458C5836.9090603@redhat.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> <458C29B5.6000306@redhat.com> <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> <458C5836.9090603@redhat.com> Message-ID: <458C612A.3090503@redhat.com> Ulrich Drepper wrote: > This DSO is compiled incorrectly, it is marked to use an executable stack. To follow up, I filed https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220669 which also has a patch for x86-64. I don't know when it'll be rebuilt, though, the East Coast already left for the holiday break. -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? From selinux at gmail.com Sat Dec 23 17:30:43 2006 From: selinux at gmail.com (Tom London) Date: Sat, 23 Dec 2006 09:30:43 -0800 Subject: execstack AVCs in Rawhide...? In-Reply-To: <458C612A.3090503@redhat.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> <458C29B5.6000306@redhat.com> <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> <458C5836.9090603@redhat.com> <458C612A.3090503@redhat.com> Message-ID: <4c4ba1530612230930x7e14453fwde612d10766bb70e@mail.gmail.com> On 12/22/06, Ulrich Drepper wrote: > Ulrich Drepper wrote: > > This DSO is compiled incorrectly, it is marked to use an executable stack. > > To follow up, I filed > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220669 > > which also has a patch for x86-64. I don't know when it'll be rebuilt, > though, the East Coast already left for the holiday break. > Today's rawhide seems to make the firefox issues 'vanish'. (flash and java plugins enabled, but no AVCs.) tom -- Tom London From selinux at gmail.com Mon Dec 25 18:49:58 2006 From: selinux at gmail.com (Tom London) Date: Mon, 25 Dec 2006 10:49:58 -0800 Subject: execstack AVCs in Rawhide...? In-Reply-To: <458C5836.9090603@redhat.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> <458C29B5.6000306@redhat.com> <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> <458C5836.9090603@redhat.com> Message-ID: <4c4ba1530612251049n301799c2ndcf05a4532704316@mail.gmail.com> On 12/22/06, Ulrich Drepper wrote: > Tom London wrote: > > Any ideas on what is causing setroubleshootd/sealeart issues? > > It's a problem in Python. > > /usr/lib64/python2.5/lib-dynload/_ctypes.so > > This DSO is compiled incorrectly, it is marked to use an executable stack. > A little bit of checking shows: xorg/modules/drivers/nsc_drv.so GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RWE 0x4 also compiled with executable stack. That right? tom -- Tom London From drepper at redhat.com Mon Dec 25 19:04:44 2006 From: drepper at redhat.com (Ulrich Drepper) Date: Mon, 25 Dec 2006 11:04:44 -0800 Subject: execstack AVCs in Rawhide...? In-Reply-To: <4c4ba1530612251049n301799c2ndcf05a4532704316@mail.gmail.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> <458C29B5.6000306@redhat.com> <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> <458C5836.9090603@redhat.com> <4c4ba1530612251049n301799c2ndcf05a4532704316@mail.gmail.com> Message-ID: <459020CC.90904@redhat.com> Tom London wrote: > xorg/modules/drivers/nsc_drv.so GNU_STACK 0x000000 0x00000000 > 0x00000000 0x000000 0x000000 RWE 0x4 > > also compiled with executable stack. That right? Yes, this should be changed, too. -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? From selinux at gmail.com Mon Dec 25 19:22:56 2006 From: selinux at gmail.com (Tom London) Date: Mon, 25 Dec 2006 11:22:56 -0800 Subject: execstack AVCs in Rawhide...? In-Reply-To: <459020CC.90904@redhat.com> References: <4c4ba1530612220932p7cddda92o196d78dbb4d27ef3@mail.gmail.com> <458C29B5.6000306@redhat.com> <4c4ba1530612221235y520217c9tea2ec8ff867d526f@mail.gmail.com> <458C5836.9090603@redhat.com> <4c4ba1530612251049n301799c2ndcf05a4532704316@mail.gmail.com> <459020CC.90904@redhat.com> Message-ID: <4c4ba1530612251122i2fc971bdtc1c10dfe8ffa1d7d@mail.gmail.com> On 12/25/06, Ulrich Drepper wrote: > Tom London wrote: > > xorg/modules/drivers/nsc_drv.so GNU_STACK 0x000000 0x00000000 > > 0x00000000 0x000000 0x000000 RWE 0x4 > > > > also compiled with executable stack. That right? > > Yes, this should be changed, too. > > -- BZ'ed here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220749 -- Tom London From sundaram at fedoraproject.org Wed Dec 27 09:05:28 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Wed, 27 Dec 2006 14:35:28 +0530 Subject: [ANN] Madison policy generation tools In-Reply-To: <45896ECC.6010605@redhat.com> References: <45896ECC.6010605@redhat.com> Message-ID: <45923758.8020803@fedoraproject.org> Karl MacMillan wrote: > The first public release of the Madison SELinux policy generation tools > can be found at http://et.redhat.com/madison/. Madison is a new project > to create command line and GUI policy generation tools that: > > * Create more readable and secure policy by leveraging the reference > policy development environment. > * Provide administrators with guidance and information to help them > make good security decisions. > > This release focuses on the creation of a foundation library (in > python). It only includes a single tool - audit2policy - that is a drop > in replacement for audit2allow with better reference policy interface > call generation (using the undocumented -R audit2allow flag). > > Contributions are very welcome. I'm looking for help with: > > * Testing (particularly interface call generation and module > generation) > * Documenation > * Unit test creation > * Code / tool development > > See the website for more details on contributing. > > To the authors of other policy generation tools: I would like to avoid > duplication of effort where possible. The current release focuses on > areas that other tools have not explored thoroughly. Moving forward I > would to discuss how we can best work together. > > Please send any feedback to the selinux development list. I dont want to subscribe to yet another list so I will send in my comments here. I have put in a announcement in fedoraproject.org. A few questions. * I installed the FC6 version. audit2policy is the only tool in this package as of now. Do you plan to include it within a existing package or introduce a new one? Do you plan to replace audit2allow with this? What are the specific differences between them? * What is the plan for the GUI application? Is this connected to system-config-selinux or semanage? * There is absolutely no documentation on the madison package and running audit2policy on its own doesnt return the prompt (that probably should return some basic help and we need a man page). I can help with writing documentation if someone can explain the details to me. Rahul From mantaray_1 at cox.net Fri Dec 29 04:08:46 2006 From: mantaray_1 at cox.net (Ken) Date: Thu, 28 Dec 2006 21:08:46 -0700 Subject: Basic GUI on strict policy Message-ID: <459494CE.9050005@cox.net> List members - I have recently been working on setting up a strict policy (using selinux-policy-2.4.6-1.fc6), and I thought I would make a post to share the module I made which allows logging in and entering the GUI. The module includes four user-defined types, which I use to limit program access to my home directories, but which do not need to be included. Some rules would need to be adapted for use without three of the four user-defined types (which are for ".gnome", ".gnome2", and ".gnome2_private" in the user's home directory). I have not taken the time to translate the "allow" statements into calls to "access interfaces", but the module could be a starting point for someone working on developing a personalized strict policy for their system. I had several problems with mls while working on the policy, and this is why the mls interfaces are included for "user_t" in the module. I did not take the time to see exactly which statements were necessary, since I am not particularly interested in using mls anyway. Without the additional types, the ".fc" file could be blank, and the ".if" file could simply contain a descriptive title such as: "## Rules added for GUI access". I have included this module in the "apps" folder on my system. To use the module, after placing the files in the "apps" folder, run "make conf" and "make load". I want to make it clear that I do not work with SELinux policy professionally, and I am not an expert on policy creation or Linux security. I may have included permissions that are not needed, and I may have omitted permissions that are needed. I am making this post because I want to share what I came up with while working on a policy for my own system. In short: It works for my system, and it took a bit of work for me to get to this point, so I want to share it. Developers - From my experience, I have a couple of comments I hope policy developers will find helpful: First, a strict policy without mls enabled that would function essentially the same as the "strict-mls" option might be useful to some users. I would have preferred to install "strict" rather than "strict-mls" but my system would not even boot with the non-mls version. I did not investigate this problem very carefully, but I found, for example, that there is no "netifcon lo ..." statement for "strict", while there is for "strict-mls". Second, I found some of the permissions needed to successfully enter the GUI were difficult to determine (without sorting through lots of extra "denied" statements that resulted from disabling "dontaudit" statements). Perhaps some time could be spent developing a policy somewhere between "strict" and "targeted" that allows more access and has less "dontaudit" statements written into the modules; or perhaps an optional module could be included with the "strict" policy that has been written by someone who knows exactly what is needed and what is not needed (rather than by someone like myself), and that allows basic access to the GUI. -Ken- ********************************* ********************************* policy_module(basic_use,1.0) ######### # # These rules are needed for basic operation using the strict policy. # require { class capability { fowner setgid setuid sys_tty_config }; class chr_file { getattr ioctl read write }; class dbus send_msg; class dir { add_name getattr read remove_name search setattr write }; class fd use; class fifo_file { getattr ioctl read write }; class file { create execute execute_no_trans getattr read setattr unlink write }; class filesystem { associate getattr }; class netif { tcp_recv tcp_send }; class process { execheap execmem execstack getpgid getsched signal }; class shm { associate create destroy getattr read unix_read unix_write write }; class sock_file { create unlink write }; class unix_stream_socket connectto; # role object_r; role sysadm_r; role system_r; role user_r; # type alsa_etc_rw_t; type apmd_t; type autofs_t; type bin_t; type binfmt_misc_fs_t; type boot_t; type cupsd_t; type cupsd_var_run_t; type default_t; type devpts_t; type etc_runtime_t; type fonts_t; type fs_t; type hostname_t; type ice_tmp_t; type initrc_t; type inotifyfs_t; type kernel_t; type lo_netif_t; type local_login_t; type lost_found_t; type lvm_control_t; type mono_exec_t; type net_conf_t; type nscd_var_run_t; type rpc_pipefs_t; type shell_exec_t; type sound_device_t; type sysadm_dbusd_t; type sysadm_gconf_tmp_t; type sysadm_gconfd_t; type sysadm_home_dir_t; type sysadm_home_t; type sysadm_t; type sysadm_tmp_t; type sysadm_tty_device_t; type sysadm_xauth_home_t; type sysadm_xserver_t; type sysadm_xserver_tmp_t; type sysctl_fs_t; type sysfs_t; type system_crond_t; type system_dbusd_t; type system_dbusd_var_run_t; type tmpfs_t; type usbfs_t; type user_dbusd_t; type user_gconf_tmp_t; type user_gconfd_t; type user_home_dir_t; type user_home_t; type user_t; type user_tmp_t; type user_tty_device_t; type user_xauth_home_t; type user_xserver_t; type user_xserver_tmp_t; type var_lib_nfs_t; type var_lib_t; type var_run_t; type var_t; type xdm_xserver_tmp_t; } # # Types: # type file_transfer_t; type gnome_t; type gnome2_private_t; type gnome2_t; # # mls: # mls_file_read_up(user_t) mls_file_write_down(user_t) mls_file_upgrade(user_t) mls_file_downgrade(user_t) mls_file_write_within_range(user_t) mls_socket_read_all_levels(user_t) mls_socket_read_to_clearance(user_t) mls_socket_write_all_levels(user_t) mls_net_receive_all_levels(user_t) mls_sysvipc_read_all_levels(user_t) mls_sysvipc_write_all_levels(user_t) mls_rangetrans_source(user_t) mls_rangetrans_target(user_t) mls_process_read_up(user_t) mls_process_write_down(user_t) mls_process_set_level(user_t) mls_xwin_read_all_levels(user_t) mls_xwin_write_all_levels(user_t) mls_colormap_read_all_levels(user_t) mls_colormap_write_all_levels(user_t) mls_trusted_object(user_t) mls_fd_use_all_levels(user_t) mls_fd_share_all_levels(user_t) mls_context_translate_all_levels(user_t) # # Ability to login and enter the GUI: # allow apmd_t kernel_t:file read; allow apmd_t user_tty_device_t:chr_file { getattr ioctl write }; allow gnome2_t fs_t:filesystem associate; allow hostname_t nscd_var_run_t:dir search; allow initrc_t lvm_control_t:chr_file write; allow initrc_t var_t:file { setattr write }; allow sysadm_dbusd_t autofs_t:dir getattr; allow sysadm_dbusd_t bin_t:file { execute execute_no_trans }; allow sysadm_dbusd_t binfmt_misc_fs_t:dir getattr; allow sysadm_dbusd_t boot_t:dir getattr; allow sysadm_dbusd_t devpts_t:dir getattr; allow sysadm_dbusd_t etc_runtime_t:file { getattr read }; allow sysadm_dbusd_t fonts_t:dir { getattr search }; allow sysadm_dbusd_t fonts_t:file { getattr read }; allow sysadm_dbusd_t fs_t:filesystem getattr; allow sysadm_dbusd_t inotifyfs_t:dir getattr; allow sysadm_dbusd_t local_login_t:fd use; allow sysadm_dbusd_t rpc_pipefs_t:dir getattr; allow sysadm_dbusd_t self:capability { setgid setuid }; allow sysadm_dbusd_t self:fifo_file { getattr ioctl read write }; allow sysadm_dbusd_t self:process { execmem execstack getsched }; allow sysadm_dbusd_t self:shm { create destroy read unix_read unix_write write }; allow sysadm_dbusd_t self:unix_stream_socket connectto; allow sysadm_dbusd_t shell_exec_t:file { execute execute_no_trans getattr read }; allow sysadm_dbusd_t sound_device_t:chr_file { ioctl read write }; allow sysadm_dbusd_t sysadm_gconf_tmp_t:file { getattr read }; allow sysadm_dbusd_t sysadm_gconfd_t:unix_stream_socket connectto; allow sysadm_dbusd_t sysadm_home_dir_t:dir { getattr read search }; allow sysadm_dbusd_t sysadm_home_t:dir { getattr read search }; allow sysadm_dbusd_t sysadm_home_t:file { getattr read write }; allow sysadm_dbusd_t sysadm_t:dbus send_msg; allow sysadm_dbusd_t sysadm_tmp_t:dir { add_name getattr remove_name search setattr write }; allow sysadm_dbusd_t sysadm_tmp_t:sock_file { create write unlink }; allow sysadm_dbusd_t sysadm_tty_device_t:chr_file { read write }; allow sysadm_dbusd_t sysadm_xauth_home_t:file { getattr read }; allow sysadm_dbusd_t sysadm_xserver_t:unix_stream_socket connectto; allow sysadm_dbusd_t sysadm_xserver_tmp_t:dir search; allow sysadm_dbusd_t sysadm_xserver_tmp_t:sock_file write; allow sysadm_dbusd_t sysctl_fs_t:dir search; allow sysadm_dbusd_t sysfs_t:dir getattr; allow sysadm_dbusd_t system_dbusd_t:dbus send_msg; allow sysadm_dbusd_t system_dbusd_t:unix_stream_socket connectto; allow sysadm_dbusd_t system_dbusd_var_run_t:dir search; allow sysadm_dbusd_t system_dbusd_var_run_t:sock_file write; allow sysadm_dbusd_t tmpfs_t:dir getattr; allow sysadm_dbusd_t tmpfs_t:file { read write }; allow sysadm_dbusd_t usbfs_t:dir getattr; allow sysadm_dbusd_t user_xserver_tmp_t:dir search; allow sysadm_dbusd_t user_xserver_tmp_t:sock_file write; allow sysadm_dbusd_t var_lib_nfs_t:dir search; allow sysadm_dbusd_t var_lib_t:dir search; allow sysadm_dbusd_t var_t:file { getattr read }; allow sysadm_gconfd_t local_login_t:fd use; allow sysadm_gconfd_t sysadm_dbusd_t:unix_stream_socket connectto; allow sysadm_gconfd_t sysadm_tty_device_t:chr_file { read write }; allow sysadm_t cupsd_t:unix_stream_socket connectto; allow sysadm_t default_t:file execute; allow sysadm_t lost_found_t:dir { read write }; allow sysadm_t mono_exec_t:file { execute execute_no_trans }; allow sysadm_t self:process { execmem execstack }; allow sysadm_xserver_t self:process { execmem execstack }; allow sysadm_xserver_t sysadm_dbusd_t:fd use; allow sysadm_xserver_t sysadm_dbusd_t:shm { associate getattr read unix_read unix_write write }; allow sysadm_xserver_t sysadm_home_t:dir search; allow sysadm_xserver_t sysadm_home_t:file { getattr read }; allow sysadm_xserver_t sysadm_t:process getpgid; allow sysadm_xserver_t tmpfs_t:file { read write }; allow sysadm_xserver_t user_xserver_tmp_t:dir { add_name getattr remove_name search write }; allow sysadm_xserver_t user_xserver_tmp_t:sock_file { create unlink }; allow system_crond_t var_run_t:dir { add_name remove_name write }; allow system_crond_t var_run_t:file { create unlink write }; allow user_dbusd_t autofs_t:dir getattr; allow user_dbusd_t bin_t:file { execute execute_no_trans }; allow user_dbusd_t binfmt_misc_fs_t:dir getattr; allow user_dbusd_t boot_t:dir getattr; allow user_dbusd_t devpts_t:dir getattr; allow user_dbusd_t etc_runtime_t:file { getattr read }; allow user_dbusd_t fonts_t:dir { getattr search }; allow user_dbusd_t fonts_t:file { getattr read }; allow user_dbusd_t fs_t:filesystem getattr; allow user_dbusd_t gnome2_private_t:dir getattr; allow user_dbusd_t gnome2_t:dir { getattr read search }; allow user_dbusd_t gnome2_t:file { getattr read write }; allow user_dbusd_t inotifyfs_t:dir getattr; allow user_dbusd_t local_login_t:fd use; allow user_dbusd_t rpc_pipefs_t:dir getattr; allow user_dbusd_t self:fifo_file { getattr ioctl read write }; allow user_dbusd_t self:process getsched; allow user_dbusd_t self:shm { create destroy read unix_read unix_write write }; allow user_dbusd_t self:unix_stream_socket connectto; allow user_dbusd_t shell_exec_t:file { execute execute_no_trans getattr read }; allow user_dbusd_t sound_device_t:chr_file { ioctl read write }; allow user_dbusd_t sysadm_xserver_tmp_t:dir search; allow user_dbusd_t sysadm_xserver_tmp_t:sock_file write; allow user_dbusd_t sysctl_fs_t:dir search; allow user_dbusd_t sysfs_t:dir getattr; allow user_dbusd_t system_dbusd_t:dbus send_msg; allow user_dbusd_t system_dbusd_t:unix_stream_socket connectto; allow user_dbusd_t system_dbusd_var_run_t:dir search; allow user_dbusd_t system_dbusd_var_run_t:sock_file write; allow user_dbusd_t tmpfs_t:dir getattr; allow user_dbusd_t tmpfs_t:file { read write }; allow user_dbusd_t usbfs_t:dir getattr; allow user_dbusd_t user_gconf_tmp_t:dir { getattr search }; allow user_dbusd_t user_gconf_tmp_t:file { getattr read }; allow user_dbusd_t user_gconfd_t:unix_stream_socket connectto; allow user_dbusd_t user_home_dir_t:dir { getattr read search }; allow user_dbusd_t user_home_t:dir { read search }; allow user_dbusd_t user_home_t:file { getattr read }; allow user_dbusd_t user_t:dbus send_msg; allow user_dbusd_t user_tmp_t:dir { add_name getattr remove_name search setattr write }; allow user_dbusd_t user_tmp_t:sock_file { create unlink write }; allow user_dbusd_t user_tty_device_t:chr_file { read write }; allow user_dbusd_t user_xauth_home_t:file { getattr read }; allow user_dbusd_t user_xserver_t:unix_stream_socket connectto; allow user_dbusd_t user_xserver_tmp_t:dir search; allow user_dbusd_t user_xserver_tmp_t:sock_file write; allow user_dbusd_t var_lib_nfs_t:dir search; allow user_dbusd_t var_lib_t:dir search; allow user_dbusd_t var_t:file { getattr read }; allow user_gconfd_t local_login_t:fd use; allow user_gconfd_t user_dbusd_t:unix_stream_socket connectto; allow user_gconfd_t user_tty_device_t:chr_file { read write }; allow user_t alsa_etc_rw_t:file read; allow user_t cupsd_t:unix_stream_socket connectto; allow user_t cupsd_var_run_t:sock_file write; allow user_t gnome_t:dir { getattr search }; allow user_t gnome_t:file { getattr read write }; allow user_t gnome2_private_t:dir getattr; allow user_t gnome2_t:dir { add_name getattr read remove_name search write }; allow user_t gnome2_t:file { create getattr read unlink }; allow user_t ice_tmp_t:dir { add_name getattr remove_name search write }; allow user_t ice_tmp_t:sock_file { create unlink write }; allow user_t net_conf_t:file read; allow user_t self:process { execheap execmem execstack }; allow user_t sysadm_xserver_tmp_t:sock_file write; allow user_t sysctl_fs_t:file read; allow user_t user_gconfd_t:process signal; allow user_t user_gconf_tmp_t:dir { getattr search }; allow user_t user_gconf_tmp_t:file { getattr read }; allow user_t user_xserver_t:dir { getattr search }; allow user_t user_xserver_t:file read; allow user_xserver_t gnome2_t:dir search; allow user_xserver_t gnome2_t:file { getattr read }; allow user_xserver_t lo_netif_t:netif { tcp_recv tcp_send }; allow user_xserver_t self:capability fowner; allow user_xserver_t self:process { execmem execstack }; allow user_xserver_t sysadm_xserver_tmp_t:dir { add_name getattr remove_name search write }; allow user_xserver_t sysadm_xserver_tmp_t:sock_file { create unlink }; allow user_xserver_t tmpfs_t:file { read write }; allow user_xserver_t user_dbusd_t:fd use; allow user_xserver_t user_dbusd_t:shm { associate getattr read unix_read unix_write write }; allow user_xserver_t user_t:process getpgid; allow user_xserver_t xdm_xserver_tmp_t:file read; # End From selinux at gmail.com Sat Dec 30 18:23:43 2006 From: selinux at gmail.com (Tom London) Date: Sat, 30 Dec 2006 10:23:43 -0800 Subject: vmware beta....needs mount/unmount? Message-ID: <4c4ba1530612301023s1ca6145i49cdf5d4804b8276@mail.gmail.com> Running latest rawhide, targeted/enforcing. I'm testing the latest vmware beta (6?). Seems to want to mount on /proc/fs/vmware-block/mountPoint: none on /proc/fs/vmware-block/mountPoint type vmware-block (rw) This produces the following AVC during boot: type=AVC msg=audit(1167500297.368:6): avc: denied { mount } for pid=2225 comm="mount" name="/" dev=vmware-block ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21 success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000 items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) I believe this is the associated AVC from 'unmount' during shutdown: type=AVC msg=audit(1167502331.621:34): avc: denied { unmount } for pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22 success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121 items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null) This appears to be the script from /etc/init.d/vmware: # Start the file system blocking driver vmware_start_vmblock() { mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD vmware_exec 'Loading module' vmware_load_module $vmblock exitcode=`expr $exitcode + $?` mount -t vmware-block none /proc/fs/vmware-block/mountPoint } # Stop the file system blocking driver vmware_stop_vmblock() { umount /proc/fs/vmware-block/mountPoint vmware_unload_module $vmblock } Right way to fix? tom -- Tom London