From sds at tycho.nsa.gov Wed Nov 1 13:32:13 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 01 Nov 2006 08:32:13 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <1162331334.4147.6.camel@localhost.localdomain> References: <6FE441CD9F0C0C479F2D88F959B015885146CC@exchange.columbia.tresys.com> <454509C2.7080008@gmail.com> <1162316975.32614.146.camel@moss-spartans.epoch.ncsc.mil> <1162331334.4147.6.camel@localhost.localdomain> Message-ID: <1162387933.32614.188.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-10-31 at 16:48 -0500, Karl MacMillan wrote: > On Tue, 2006-10-31 at 12:49 -0500, Stephen Smalley wrote: > > On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote: > > > Dnia 10/29/2006 06:33 PM, U?ytkownik Joshua Brindle napisa?: > > > > Right, that's a hard fix I think, dashes aren't allowed in > > > > identifiers and they are treated specially for use in MLS ranges.. > > > > > > Oh, that's really bad :( Without that line files on ntfs-3g filesystem > > > have unlabeled_t type and I would need to give to many privileges to > > > mount_t domain. > > > > > > So there is no hope to fix it in the clean way? > > > > File it as a bug against checkpolicy. > > I looked at fixing this by changing genfscon to use user_identifier > instead of identifier (they are the same except user_identifier includes > "-"). This made checkpolicy generate a syntax error for all genfscon > statements - haven't tracked down what the problem is. The grammer still > seems to be unambiguous. Use "user_id" instead. Otherwise, you'll get a syntax error when the token is classified as an IDENTIFIER (first match) and the grammar says that it must be a USER_IDENTIFIER. > > I'll try to get back to it soon, but thought I would post this in case > someone knows what the issue is off the top of their head. > > Karl -- Stephen Smalley National Security Agency From jbrindle at tresys.com Wed Nov 1 15:27:59 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Wed, 1 Nov 2006 10:27:59 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <1162394514.29617.5.camel@localhost.localdomain> Message-ID: <6FE441CD9F0C0C479F2D88F959B0158851492D@exchange.columbia.tresys.com> > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > > > > I looked at fixing this by changing genfscon to use > user_identifier > > > instead of identifier (they are the same except user_identifier > > > includes "-"). This made checkpolicy generate a syntax > error for all > > > genfscon statements - haven't tracked down what the > problem is. The > > > grammer still seems to be unambiguous. > > > > Use "user_id" instead. Otherwise, you'll get a syntax > error when the > > token is classified as an IDENTIFIER (first match) and the grammar > > says that it must be a USER_IDENTIFIER. > > Right as usual. > Maybe make user_id more generic as it is no longer only used for users.. From jbrindle at tresys.com Wed Nov 1 16:12:09 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Wed, 1 Nov 2006 11:12:09 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <1162397375.29617.20.camel@localhost.localdomain> Message-ID: <6FE441CD9F0C0C479F2D88F959B01588514956@exchange.columbia.tresys.com> > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote: > > > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > > > > > > > > I looked at fixing this by changing genfscon to use > > > user_identifier > > > > > instead of identifier (they are the same except > user_identifier > > > > > includes "-"). This made checkpolicy generate a syntax > > > error for all > > > > > genfscon statements - haven't tracked down what the > > > problem is. The > > > > > grammer still seems to be unambiguous. > > > > > > > > Use "user_id" instead. Otherwise, you'll get a syntax > > > error when the > > > > token is classified as an IDENTIFIER (first match) and > the grammar > > > > says that it must be a USER_IDENTIFIER. > > > > > > Right as usual. > > > > > > > Maybe make user_id more generic as it is no longer only > used for users.. > > Just making generic would make the user related parts of the > grammar harder to read. What about this: > Fine. > Index: trunk/checkpolicy/policy_parse.y > =================================================================== > --- trunk/checkpolicy/policy_parse.y (revision 2076) > +++ trunk/checkpolicy/policy_parse.y (working copy) > @@ -605,6 +605,8 @@ > ; > user_id : identifier > | user_identifier > + ; > +dash_id : user_id > ; > user_def : USER user_id ROLES names opt_mls_user ';' > {if (define_user()) return -1;} @@ > -679,11 +681,11 @@ > genfs_contexts : genfs_context_def > | genfs_contexts genfs_context_def > ; > -genfs_context_def : GENFSCON identifier path '-' > identifier security_context_def > +genfs_context_def : GENFSCON dash_id path '-' identifier > security_context_def > {if (define_genfs_context(1)) return -1;} > - | GENFSCON identifier path '-' '-' > {insert_id("-", 0);} security_context_def > + | GENFSCON dash_id path '-' '-' > {insert_id("-", 0);} > +security_context_def > {if (define_genfs_context(1)) return -1;} > - | GENFSCON identifier path > security_context_def > + | GENFSCON dash_id path security_context_def > {if (define_genfs_context(0)) return -1;} > ; > ipv4_addr_def : number '.' number '.' number > '.' number > > > Signed-off by: Karl MacMillan > Acked-By: Joshua Brindle From sds at tycho.nsa.gov Wed Nov 1 18:18:58 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 01 Nov 2006 13:18:58 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <1162397375.29617.20.camel@localhost.localdomain> References: <6FE441CD9F0C0C479F2D88F959B0158851492D@exchange.columbia.tresys.com> <1162397375.29617.20.camel@localhost.localdomain> Message-ID: <1162405138.32614.248.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote: > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote: > > > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > > > > > > > > I looked at fixing this by changing genfscon to use > > > user_identifier > > > > > instead of identifier (they are the same except user_identifier > > > > > includes "-"). This made checkpolicy generate a syntax > > > error for all > > > > > genfscon statements - haven't tracked down what the > > > problem is. The > > > > > grammer still seems to be unambiguous. > > > > > > > > Use "user_id" instead. Otherwise, you'll get a syntax > > > error when the > > > > token is classified as an IDENTIFIER (first match) and the grammar > > > > says that it must be a USER_IDENTIFIER. > > > > > > Right as usual. > > > > > > > Maybe make user_id more generic as it is no longer only used for users.. > > Just making generic would make the user related parts of the grammar > harder to read. What about this: > > Index: trunk/checkpolicy/policy_parse.y > =================================================================== > --- trunk/checkpolicy/policy_parse.y (revision 2076) > +++ trunk/checkpolicy/policy_parse.y (working copy) > @@ -605,6 +605,8 @@ > ; > user_id : identifier > | user_identifier > + ; > +dash_id : user_id > ; > user_def : USER user_id ROLES names opt_mls_user ';' > {if (define_user()) return -1;} > @@ -679,11 +681,11 @@ > genfs_contexts : genfs_context_def > | genfs_contexts genfs_context_def > ; > -genfs_context_def : GENFSCON identifier path '-' identifier security_context_def > +genfs_context_def : GENFSCON dash_id path '-' identifier security_context_def > {if (define_genfs_context(1)) return -1;} > - | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def > + | GENFSCON dash_id path '-' '-' {insert_id("-", 0);} security_context_def > {if (define_genfs_context(1)) return -1;} > - | GENFSCON identifier path security_context_def > + | GENFSCON dash_id path security_context_def > {if (define_genfs_context(0)) return -1;} > ; > ipv4_addr_def : number '.' number '.' number '.' number > > > Signed-off by: Karl MacMillan Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in: Index: checkpolicy/policy_scan.l =================================================================== --- checkpolicy/policy_scan.l (revision 2076) +++ checkpolicy/policy_scan.l (working copy) @@ -200,12 +200,11 @@ h2 | H2 { return(H2); } "/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); } -{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext)) +{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext)) return(IDENTIFIER); else REJECT; } -{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); } {digit}{digit}* { return(NUMBER); } {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); } {version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); } Index: checkpolicy/policy_parse.y =================================================================== --- checkpolicy/policy_parse.y (revision 2076) +++ checkpolicy/policy_parse.y (working copy) @@ -190,7 +190,6 @@ %token NOT AND OR XOR %token CTRUE CFALSE %token IDENTIFIER -%token USER_IDENTIFIER %token NUMBER %token EQUALS %token NOTEQUAL @@ -522,13 +521,13 @@ | T1 op T2 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); if ($$ == 0) return -1; } - | U1 op { if (insert_separator(1)) return -1; } user_names_push + | U1 op { if (insert_separator(1)) return -1; } names_push { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); if ($$ == 0) return -1; } - | U2 op { if (insert_separator(1)) return -1; } user_names_push + | U2 op { if (insert_separator(1)) return -1; } names_push { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); if ($$ == 0) return -1; } - | U3 op { if (insert_separator(1)) return -1; } user_names_push + | U3 op { if (insert_separator(1)) return -1; } names_push { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); if ($$ == 0) return -1; } | R1 op { if (insert_separator(1)) return -1; } names_push @@ -603,10 +602,7 @@ users : user_def | users user_def ; -user_id : identifier - | user_identifier - ; -user_def : USER user_id ROLES names opt_mls_user ';' +user_def : USER identifier ROLES names opt_mls_user ';' {if (define_user()) return -1;} ; opt_mls_user : LEVEL mls_level_def RANGE mls_range_def @@ -698,7 +694,7 @@ $$ = addr; } ; -security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def +security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def ; opt_mls_range_def : ':' mls_range_def | @@ -766,23 +762,6 @@ identifier : IDENTIFIER { if (insert_id(yytext,0)) return -1; } ; -user_identifier : USER_IDENTIFIER - { if (insert_id(yytext,0)) return -1; } - ; -user_identifier_push : USER_IDENTIFIER - { if (insert_id(yytext, 1)) return -1; } - ; -user_identifier_list_push : user_identifier_push - | identifier_list_push user_identifier_push - | user_identifier_list_push identifier_push - | user_identifier_list_push user_identifier_push - ; -user_names_push : names_push - | user_identifier_push - | '{' user_identifier_list_push '}' - | tilde_push user_identifier_push - | tilde_push '{' user_identifier_list_push '}' - ; path : PATH { if (insert_id(yytext,0)) return -1; } ; Builds svn refpolicy trunk with strict-mls, no change in policy.21. -- Stephen Smalley National Security Agency From lists-gawain at felicity-group.com Thu Nov 2 03:25:54 2006 From: lists-gawain at felicity-group.com (Gawain Lynch) Date: Thu, 02 Nov 2006 14:25:54 +1100 Subject: setroubleshoot question... Message-ID: <1162437954.3728.16.camel@legolas.felicity.net.au> I have copied across an audit log from another FC6 host to my FC6 laptop and am trying to open it with the "SELinux Troubleshooter". When I do it just hangs there with "loading data..." down the bottom and the progress bar is sitting around 50%. The log is only 200 KiB and I have left it overnight, but nothing finishes. Am I doing something wrong or should I bz it? Take care, Gawain From arthur at levelogic.com Thu Nov 2 11:02:23 2006 From: arthur at levelogic.com (Arthur M. Kang) Date: Thu, 02 Nov 2006 03:02:23 -0800 Subject: setsebool sandbox error on FC6 Message-ID: <4549D03F.5000606@levelogic.com> On a fresh install of FC6, I'm getting errors when trying to use the setsebool command. # setsebool httpd_disable_trans 1 libsemanage.semanage_commit_sandbox: Error while renaming /etc/selinux/targeted/modules/active to /etc/selinux/targeted/modules/previous. Could not change policy booleans Has anyone else experienced similar problems? Is there a problem on my end? Is there a fix? Although the error message is generated, the boolean does get set. However, the -P switch doesn't work and the boolean won't stick across reboots. Is there an alternate method to remotely configure booleans that stick across reboots? Any help is appreciated. Arthur -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Wed Nov 1 19:19:26 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 01 Nov 2006 14:19:26 -0500 Subject: Today's update: install errors In-Reply-To: <4c4ba1530610300946r1be9ad13oe10f03c12f27f411@mail.gmail.com> References: <4c4ba1530610281035o337d67a9r63d8d324dacfba85@mail.gmail.com> <454635C2.50200@redhat.com> <4c4ba1530610300946r1be9ad13oe10f03c12f27f411@mail.gmail.com> Message-ID: <4548F33E.1050008@redhat.com> Tom London wrote: > On 10/30/06, Daniel J Walsh wrote: >> Tom London wrote: >> > Running latest rawhide, targeted/enforcing. >> > >> > Got this with today's updates: >> > >> > Updating : selinux-policy-targeted ####################### [ >> 6/12] >> > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy >> > did not exit cleanly. >> > libsemanage.semanage_reload_policy: load_policy returned error code >> -1. >> > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy >> > did not exit cleanly. >> > libsemanage.semanage_reload_policy: load_policy returned error code >> -1. >> > semodule: Failed! >> > Cleanup : selinux-policy ####################### [ >> 7/12] >> > >> > tom >> Any avc messages? >> > I'm thinking maybe this is related to the glibc breaking setuid programs. > > That possible? > > tom I have no idea. I have not seen the breakage. Were you able to load policy after fixing glibc problem? From sds at tycho.nsa.gov Thu Nov 2 13:25:01 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 02 Nov 2006 08:25:01 -0500 Subject: setsebool sandbox error on FC6 In-Reply-To: <4549D03F.5000606@levelogic.com> References: <4549D03F.5000606@levelogic.com> Message-ID: <1162473901.22051.3.camel@moss-spartans.epoch.ncsc.mil> (please disable html mail at least when posting to public lists) On Thu, 2006-11-02 at 03:02 -0800, Arthur M. Kang wrote: > On a fresh install of FC6, I'm getting errors when trying to use the > setsebool command. > > # setsebool httpd_disable_trans 1 > libsemanage.semanage_commit_sandbox: Error while > renaming /etc/selinux/targeted/modules/active > to /etc/selinux/targeted/modules/previous. > Could not change policy booleans This usually means that there is a labeling problem with /etc/selinux. Run /sbin/restorecon -R /etc/selinux/targeted/modules. Then try again. Check for audit messages in /var/log/messages or /var/log/audit/audit.log (the latter if running auditd). > Has anyone else experienced similar problems? Is there a problem on > my end? Is there a fix? > > Although the error message is generated, the boolean does get set. > However, the -P switch doesn't work and the boolean won't stick across > reboots. > > Is there an alternate method to remotely configure booleans that stick > across reboots? > > Any help is appreciated. -- Stephen Smalley National Security Agency From selinux at gmail.com Thu Nov 2 14:37:20 2006 From: selinux at gmail.com (Tom London) Date: Thu, 2 Nov 2006 06:37:20 -0800 Subject: Today's update: install errors In-Reply-To: <4548F33E.1050008@redhat.com> References: <4c4ba1530610281035o337d67a9r63d8d324dacfba85@mail.gmail.com> <454635C2.50200@redhat.com> <4c4ba1530610300946r1be9ad13oe10f03c12f27f411@mail.gmail.com> <4548F33E.1050008@redhat.com> Message-ID: <4c4ba1530611020637j571e8684p623dd0eb54e36552@mail.gmail.com> On 11/1/06, Daniel J Walsh wrote: > Tom London wrote: > > On 10/30/06, Daniel J Walsh wrote: > >> Tom London wrote: > >> > Running latest rawhide, targeted/enforcing. > >> > > >> > Got this with today's updates: > >> > > >> > Updating : selinux-policy-targeted ####################### [ > >> 6/12] > >> > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > >> > did not exit cleanly. > >> > libsemanage.semanage_reload_policy: load_policy returned error code > >> -1. > >> > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > >> > did not exit cleanly. > >> > libsemanage.semanage_reload_policy: load_policy returned error code > >> -1. > >> > semodule: Failed! > >> > Cleanup : selinux-policy ####################### [ > >> 7/12] > >> > > >> > tom > >> Any avc messages? > >> > > I'm thinking maybe this is related to the glibc breaking setuid programs. > > > > That possible? > > > > tom > I have no idea. I have not seen the breakage. Were you able to load > policy after fixing glibc problem? > System would boot, but .... I had to login as root to get anything done. Regardless, this appears a non-problem: vanished after the glibc update. Sorry for the 'too quick' report, tom -- Tom London From kmacmill at redhat.com Thu Nov 2 15:30:29 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 02 Nov 2006 10:30:29 -0500 Subject: setroubleshoot question... In-Reply-To: <1162437954.3728.16.camel@legolas.felicity.net.au> References: <1162437954.3728.16.camel@legolas.felicity.net.au> Message-ID: <1162481429.6503.6.camel@localhost.localdomain> On Thu, 2006-11-02 at 14:25 +1100, Gawain Lynch wrote: > I have copied across an audit log from another FC6 host to my FC6 laptop > and am trying to open it with the "SELinux Troubleshooter". > > When I do it just hangs there with "loading data..." down the bottom and > the progress bar is sitting around 50%. The log is only 200 KiB and I > have left it overnight, but nothing finishes. > > Am I doing something wrong or should I bz it? > Please file a bz and attach the log file if you can. Thanks - Karl > Take care, > > Gawain > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From jdennis at redhat.com Thu Nov 2 15:36:26 2006 From: jdennis at redhat.com (John Dennis) Date: Thu, 02 Nov 2006 10:36:26 -0500 Subject: setroubleshoot question... In-Reply-To: <1162437954.3728.16.camel@legolas.felicity.net.au> References: <1162437954.3728.16.camel@legolas.felicity.net.au> Message-ID: <1162481786.2679.11.camel@finch.boston.redhat.com> On Thu, 2006-11-02 at 14:25 +1100, Gawain Lynch wrote: > I have copied across an audit log from another FC6 host to my FC6 laptop > and am trying to open it with the "SELinux Troubleshooter". > > When I do it just hangs there with "loading data..." down the bottom and > the progress bar is sitting around 50%. The log is only 200 KiB and I > have left it overnight, but nothing finishes. > > Am I doing something wrong or should I bz it? No, you're not doing anything wrong. The log file scanning in the released version was disabled pending a rewrite of some of the code, that rewrite is nearing completion but has not be released yet. The menu item should have been disabled. My apologies for the confusion. -- John Dennis Red Hat Inc. From tibbs at math.uh.edu Thu Nov 2 16:03:15 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 02 Nov 2006 10:03:15 -0600 Subject: Selinux and denyhosts Message-ID: I maintain the denyhosts package in Fedora Extras. Recently a user reported that denyhosts resets the security context on /etc/hosts.deny which breaks other services. (The ticket is https://bugzilla.redhat.com/212771 .) It isn't completely clear what is happening from the report. Denyhosts performs two operations on hosts.deny: 1) When adding new hosts, it appends (usually) two lines to the file. 2) When purging old hosts, it creates a new temporary file (currently named hosts.deny.purge.tmp, although there's certainly no permanent guarantee of this), copies over the lines not being purged, and then renames the new file into place. My understanding is that the first operation won't change the security context of the file, but the second is quite likely to. Unfortunately the reporter hasn't provided any information about whether my last suggestion of running semanage fcontext -a -t etc_t /etc/hosts.deny.purge.tmp or using a pattern helped the situation. My understanding is that this should fix the issue, but I am far from a selinux expert. Might anyone have additional advice? Is there any way to future-proof this in case upstream decides to use a different temporary filename? Would it be reasonable to create a full policy for denyhosts? - J< From paul at city-fan.org Thu Nov 2 16:45:24 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 02 Nov 2006 16:45:24 +0000 Subject: Selinux and denyhosts In-Reply-To: References: Message-ID: <454A20A4.5010406@city-fan.org> Jason L Tibbitts III wrote: > I maintain the denyhosts package in Fedora Extras. Recently a user > reported that denyhosts resets the security context on /etc/hosts.deny > which breaks other services. (The ticket is > https://bugzilla.redhat.com/212771 .) > > It isn't completely clear what is happening from the report. > Denyhosts performs two operations on hosts.deny: > > 1) When adding new hosts, it appends (usually) two lines to the file. > 2) When purging old hosts, it creates a new temporary file (currently > named hosts.deny.purge.tmp, although there's certainly no permanent > guarantee of this), copies over the lines not being purged, and > then renames the new file into place. > > My understanding is that the first operation won't change the security > context of the file, but the second is quite likely to. > > Unfortunately the reporter hasn't provided any information about > whether my last suggestion of running > > semanage fcontext -a -t etc_t /etc/hosts.deny.purge.tmp > > or using a pattern helped the situation. My understanding is that > this should fix the issue, but I am far from a selinux expert. Might > anyone have additional advice? Is there any way to future-proof this > in case upstream decides to use a different temporary filename? Would > it be reasonable to create a full policy for denyhosts? Using semanage like this is unlikely to improve the situation, as the pathname-based default file contexts that it manages are used only in a few special circumstances, such as installing packages or using "restorecon". I think the suggestion in comment #2 of running restorecon on the new file is the safest one, as it will work if the default context of the hosts.deny file changes. Of course, this will leave a small window of time where the file has the wrong context between creation of the new file and the running of restorecon, so you might also consider doing the equivalent of "chcon -t etc_t $TMPFILE" before moving it into place. It'd be nice if there was a way of setting the context of a file to be the same as the context of another file (somewhat like the --reference option of touch), which would be useful in cases like this. Paul. From kmacmill at redhat.com Thu Nov 2 16:57:32 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Thu, 02 Nov 2006 11:57:32 -0500 Subject: Selinux and denyhosts In-Reply-To: <454A20A4.5010406@city-fan.org> References: <454A20A4.5010406@city-fan.org> Message-ID: <1162486652.6503.23.camel@localhost.localdomain> On Thu, 2006-11-02 at 16:45 +0000, Paul Howarth wrote: > Jason L Tibbitts III wrote: > > I maintain the denyhosts package in Fedora Extras. Recently a user > > reported that denyhosts resets the security context on /etc/hosts.deny > > which breaks other services. (The ticket is > > https://bugzilla.redhat.com/212771 .) > > > > It isn't completely clear what is happening from the report. > > Denyhosts performs two operations on hosts.deny: > > > > 1) When adding new hosts, it appends (usually) two lines to the file. > > 2) When purging old hosts, it creates a new temporary file (currently > > named hosts.deny.purge.tmp, although there's certainly no permanent > > guarantee of this), copies over the lines not being purged, and > > then renames the new file into place. > > > > My understanding is that the first operation won't change the security > > context of the file, but the second is quite likely to. > > > > Unfortunately the reporter hasn't provided any information about > > whether my last suggestion of running > > > > semanage fcontext -a -t etc_t /etc/hosts.deny.purge.tmp > > > > or using a pattern helped the situation. My understanding is that > > this should fix the issue, but I am far from a selinux expert. Might > > anyone have additional advice? Is there any way to future-proof this > > in case upstream decides to use a different temporary filename? Would > > it be reasonable to create a full policy for denyhosts? > > Using semanage like this is unlikely to improve the situation, as the > pathname-based default file contexts that it manages are used only in a > few special circumstances, such as installing packages or using > "restorecon". > > I think the suggestion in comment #2 of running restorecon on the new > file is the safest one, as it will work if the default context of the > hosts.deny file changes. Of course, this will leave a small window of > time where the file has the wrong context between creation of the new > file and the running of restorecon, so you might also consider doing the > equivalent of "chcon -t etc_t $TMPFILE" before moving it into place. > The context should be set on the new file when it is created, otherwise the data in the file would be stored with the wrong context for the duration of the processing - just like the race you are describing when it is moved into place. > It'd be nice if there was a way of setting the context of a file to be > the same as the context of another file (somewhat like the --reference > option of touch), which would be useful in cases like this. > There is - see getfilecon and setfscreatecon in the selinux python module. It should also be possible to use type_transitions in a denyhosts policy to handle this. A quick glance at denyhosts suggests that a policy might be a good idea anyway. Karl > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Thu Nov 2 18:12:22 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 02 Nov 2006 13:12:22 -0500 Subject: Selinux and denyhosts In-Reply-To: <454A20A4.5010406@city-fan.org> References: <454A20A4.5010406@city-fan.org> Message-ID: <1162491142.5519.10.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-11-02 at 16:45 +0000, Paul Howarth wrote: > Jason L Tibbitts III wrote: > > I maintain the denyhosts package in Fedora Extras. Recently a user > > reported that denyhosts resets the security context on /etc/hosts.deny > > which breaks other services. (The ticket is > > https://bugzilla.redhat.com/212771 .) > > > > It isn't completely clear what is happening from the report. > > Denyhosts performs two operations on hosts.deny: > > > > 1) When adding new hosts, it appends (usually) two lines to the file. > > 2) When purging old hosts, it creates a new temporary file (currently > > named hosts.deny.purge.tmp, although there's certainly no permanent > > guarantee of this), copies over the lines not being purged, and > > then renames the new file into place. > > > > My understanding is that the first operation won't change the security > > context of the file, but the second is quite likely to. > > > > Unfortunately the reporter hasn't provided any information about > > whether my last suggestion of running > > > > semanage fcontext -a -t etc_t /etc/hosts.deny.purge.tmp > > > > or using a pattern helped the situation. My understanding is that > > this should fix the issue, but I am far from a selinux expert. Might > > anyone have additional advice? Is there any way to future-proof this > > in case upstream decides to use a different temporary filename? Would > > it be reasonable to create a full policy for denyhosts? > > Using semanage like this is unlikely to improve the situation, as the > pathname-based default file contexts that it manages are used only in a > few special circumstances, such as installing packages or using > "restorecon". > > I think the suggestion in comment #2 of running restorecon on the new > file is the safest one, as it will work if the default context of the > hosts.deny file changes. Of course, this will leave a small window of > time where the file has the wrong context between creation of the new > file and the running of restorecon, so you might also consider doing the > equivalent of "chcon -t etc_t $TMPFILE" before moving it into place. > > It'd be nice if there was a way of setting the context of a file to be > the same as the context of another file (somewhat like the --reference > option of touch), which would be useful in cases like tqhis. chcon has an option for that, e.g. chcon --reference /etc/hosts.deny $TMPFILE But Karl is correct - you want to create the file in the right context in the first place, and this can be done via policy (type transition rules) or by code (having the application that creates the temporary file use getfilecon to get the original context and setfscreatecon to specify that context for use in subsequent file creations). -- Stephen Smalley National Security Agency From lists-gawain at felicity-group.com Thu Nov 2 22:46:43 2006 From: lists-gawain at felicity-group.com (Gawain Lynch) Date: Fri, 03 Nov 2006 09:46:43 +1100 Subject: setroubleshoot question... In-Reply-To: <1162481786.2679.11.camel@finch.boston.redhat.com> References: <1162437954.3728.16.camel@legolas.felicity.net.au> <1162481786.2679.11.camel@finch.boston.redhat.com> Message-ID: <1162507603.17219.0.camel@legolas.felicity.net.au> On Thu, 2006-11-02 at 10:36 -0500, John Dennis wrote: > On Thu, 2006-11-02 at 14:25 +1100, Gawain Lynch wrote: > > I have copied across an audit log from another FC6 host to my FC6 laptop > > and am trying to open it with the "SELinux Troubleshooter". > > > > When I do it just hangs there with "loading data..." down the bottom and > > the progress bar is sitting around 50%. The log is only 200 KiB and I > > have left it overnight, but nothing finishes. > > > > Am I doing something wrong or should I bz it? > > No, you're not doing anything wrong. The log file scanning in the > released version was disabled pending a rewrite of some of the code, > that rewrite is nearing completion but has not be released yet. The menu > item should have been disabled. My apologies for the confusion. Phew! Any *rough* ideas when the new code will hit -testing? From sds at tycho.nsa.gov Fri Nov 3 17:53:06 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 03 Nov 2006 12:53:06 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <1162480950.6503.4.camel@localhost.localdomain> References: <6FE441CD9F0C0C479F2D88F959B0158851492D@exchange.columbia.tresys.com> <1162397375.29617.20.camel@localhost.localdomain> <1162405138.32614.248.camel@moss-spartans.epoch.ncsc.mil> <1162480950.6503.4.camel@localhost.localdomain> Message-ID: <1162576386.5519.127.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-11-02 at 10:22 -0500, Karl MacMillan wrote: > On Wed, 2006-11-01 at 13:18 -0500, Stephen Smalley wrote: > > On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote: > > > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote: > > > > > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > > > > > > > > > > > > I looked at fixing this by changing genfscon to use > > > > > user_identifier > > > > > > > instead of identifier (they are the same except user_identifier > > > > > > > includes "-"). This made checkpolicy generate a syntax > > > > > error for all > > > > > > > genfscon statements - haven't tracked down what the > > > > > problem is. The > > > > > > > grammer still seems to be unambiguous. > > > > > > > > > > > > Use "user_id" instead. Otherwise, you'll get a syntax > > > > > error when the > > > > > > token is classified as an IDENTIFIER (first match) and the grammar > > > > > > says that it must be a USER_IDENTIFIER. > > > > > > > > > > Right as usual. > > > > > > > > > > > > > Maybe make user_id more generic as it is no longer only used for users.. > > > > > > Just making generic would make the user related parts of the grammar > > > harder to read. What about this: > > > Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in: > > That's fine with me - there is really no reason to disallow "-" in any > of the identifiers. Makes a lot of documentation wrong, but the docs > being more restrictive isn't a big deal. Only possible reason would be to avoid ambiguity in MLS ranges (e.g. s0-s0:c0.c255), but we already have that problem in checkpolicy from USER_IDENTIFIER, which is why one has to use spaces around the - in the range. So it would only matter is someone put a - in a sensitivity or category name. > > > > > Index: checkpolicy/policy_scan.l > > =================================================================== > > --- checkpolicy/policy_scan.l (revision 2076) > > +++ checkpolicy/policy_scan.l (working copy) > > @@ -200,12 +200,11 @@ > > h2 | > > H2 { return(H2); } > > "/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); } > > -{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext)) > > +{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext)) > > return(IDENTIFIER); > > else > > REJECT; > > } > > -{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); } > > {digit}{digit}* { return(NUMBER); } > > {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); } > > {version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); } > > Index: checkpolicy/policy_parse.y > > =================================================================== > > --- checkpolicy/policy_parse.y (revision 2076) > > +++ checkpolicy/policy_parse.y (working copy) > > @@ -190,7 +190,6 @@ > > %token NOT AND OR XOR > > %token CTRUE CFALSE > > %token IDENTIFIER > > -%token USER_IDENTIFIER > > %token NUMBER > > %token EQUALS > > %token NOTEQUAL > > @@ -522,13 +521,13 @@ > > | T1 op T2 > > { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); > > if ($$ == 0) return -1; } > > - | U1 op { if (insert_separator(1)) return -1; } user_names_push > > + | U1 op { if (insert_separator(1)) return -1; } names_push > > { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); > > if ($$ == 0) return -1; } > > - | U2 op { if (insert_separator(1)) return -1; } user_names_push > > + | U2 op { if (insert_separator(1)) return -1; } names_push > > { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); > > if ($$ == 0) return -1; } > > - | U3 op { if (insert_separator(1)) return -1; } user_names_push > > + | U3 op { if (insert_separator(1)) return -1; } names_push > > { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); > > if ($$ == 0) return -1; } > > | R1 op { if (insert_separator(1)) return -1; } names_push > > @@ -603,10 +602,7 @@ > > users : user_def > > | users user_def > > ; > > -user_id : identifier > > - | user_identifier > > - ; > > -user_def : USER user_id ROLES names opt_mls_user ';' > > +user_def : USER identifier ROLES names opt_mls_user ';' > > {if (define_user()) return -1;} > > ; > > opt_mls_user : LEVEL mls_level_def RANGE mls_range_def > > @@ -698,7 +694,7 @@ > > $$ = addr; > > } > > ; > > -security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def > > +security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def > > ; > > opt_mls_range_def : ':' mls_range_def > > | > > @@ -766,23 +762,6 @@ > > identifier : IDENTIFIER > > { if (insert_id(yytext,0)) return -1; } > > ; > > -user_identifier : USER_IDENTIFIER > > - { if (insert_id(yytext,0)) return -1; } > > - ; > > -user_identifier_push : USER_IDENTIFIER > > - { if (insert_id(yytext, 1)) return -1; } > > - ; > > -user_identifier_list_push : user_identifier_push > > - | identifier_list_push user_identifier_push > > - | user_identifier_list_push identifier_push > > - | user_identifier_list_push user_identifier_push > > - ; > > -user_names_push : names_push > > - | user_identifier_push > > - | '{' user_identifier_list_push '}' > > - | tilde_push user_identifier_push > > - | tilde_push '{' user_identifier_list_push '}' > > - ; > > path : PATH > > { if (insert_id(yytext,0)) return -1; } > > ; > > > > Builds svn refpolicy trunk with strict-mls, no change in policy.21. > > > > Acked-by: Karl MacMillan > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- Stephen Smalley National Security Agency From selinux at gmail.com Sat Nov 4 19:11:57 2006 From: selinux at gmail.com (Tom London) Date: Sat, 4 Nov 2006 11:11:57 -0800 Subject: Today's update: mctransd error during updates Message-ID: <4c4ba1530611041111s48594072gb100a7e3a6319fb@mail.gmail.com> Running targeted/enforcing, latest rawhide. During today's updates, I got a 'hard gnome logout'. After logging back in, found this in /var/log/messages: Nov 4 09:45:30 localhost kernel: security: 3 users, 6 roles, 1561 types, 170 bools, 1 sens, 1024 cats Nov 4 09:45:30 localhost kernel: security: 59 classes, 48592 rules Nov 4 09:45:30 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Nov 4 09:45:30 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Nov 4 09:45:30 localhost Updated: selinux-policy-targeted.noarch 2.4.2-8 Nov 4 09:45:30 localhost mcstransd: Unknown/error events (8) encountered for fd (5) So yum didn't finish, and I had to remove the duplicate packages manually. Nothing unusual in /var/log/audit/audit.log. Reboot appears OK. tom -- Tom London From bench at silentmedia.com Sat Nov 4 23:27:41 2006 From: bench at silentmedia.com (Ben) Date: Sat, 4 Nov 2006 15:27:41 -0800 Subject: AVC errors on xen domU Message-ID: <8C4E9045-4687-42E6-9ED2-6E3CE31F13DE@silentmedia.com> I recently upgraded some dom0 and domU machines to the 2.6.18-1.2200 kernel, now that the new xen packages are out which let it work. While it works well enough, on the domU machines I'm now seeing this: avc: denied { getattr } for pid=19349 comm="agetty" name="xvc0" dev=tmpfs ino=1614 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file whenever init tries to spawn the console. I have these selinux versions installed: libselinux-1.30.3-4.fc5 selinux-policy-2.3.7-2.fc5 selinux-policy-targeted-2.3.7-2.fc5 From norm at workingtools.ca Sun Nov 5 19:24:24 2006 From: norm at workingtools.ca (Norm) Date: Sun, 5 Nov 2006 11:24:24 -0800 Subject: SELinux is preventing /usr/sbin/groupadd Message-ID: <20061105112424.71ad2380@david.hill.bnb> I am sure the explanation and information is clear enough in the Setroubleshoot browser report but the catch is I don't understand it nor can seem to figure out what to do to stop the problem "SELinux is preventing /usr/sbin/groupadd(useradd_t) "sys_tty_config" to (groupadd_t)" I appreciate that it could be an intrusion attempt but that is unlikely and as it occur ed when I was not on the computer I assume it is part of a cron process or similar. How do I deal with it? From LEFFLESA at nv.doe.gov Sun Nov 5 19:33:43 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Sun, 5 Nov 2006 12:33:43 -0700 Subject: Need help for midterm project/presentation (FC5 & SELinux) Message-ID: So I volunteered (!?!?!) to give a presentation on SELinux for my midtem project. At the time I thought 'cool, how hard can this be.' (ok, you can stop laughing now) So now I'm a bit panic'd. I picked up the Oreilly's book and the other one SELinux by example. The pickle I'm in is that the class is using FC5 and both books were written for earlier versions and its befuddling me. So I thought I would beg on this list for a few examples I could present to the class on how to do some basic policy stuff. Like here is a new widget and this is how you modify permissions to make it work, yada yada. Nothing major just simple stuff like that. (I will touch on the targeted policy for the big daemons/services but I wanted to show how you might tackle a problem that was not part of the targeted list.) I have been reading everything I can find on FC5/SELinux but I've just run out of time. So any help would be appreciated, and FWIW, I really dig this stuff. :) Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From rirving at antient.org Sun Nov 5 22:51:23 2006 From: rirving at antient.org (Richard Irving) Date: Sun, 05 Nov 2006 17:51:23 -0500 Subject: Need help for midterm project/presentation (FC5 & SELinux) In-Reply-To: References: Message-ID: <454E6AEB.4060508@antient.org> Leffler, Sean wrote: > So I volunteered (!?!?!) to give a presentation on SELinux for my > midtem project. > At the time I thought 'cool, how hard can this be.' (ok, you can stop > laughing now) http://fedora.redhat.com/docs/selinux-faq-fc5/ "audit2allow -M local.te" is your friend, or enemy if misused. Also make sure you "yum install checkpolicy", so this works as expected... > > So now I'm a bit panic'd. I picked up the Oreilly's book and the other > one SELinux by example. > The pickle I'm in is that the class is using FC5 and both books were > written for earlier versions and its befuddling me. > > So I thought I would beg on this list for a few examples I could > present to the class on how to do some basic policy stuff. > Like here is a new widget and this is how you modify permissions to > make it work, yada yada. Nothing major just simple stuff like that. (I > will touch on the targeted policy for the big daemons/services but I > wanted to show how you might tackle a problem that was not part of the > targeted list.) > > I have been reading everything I can find on FC5/SELinux but I've just > run out of time. > So any help would be appreciated, and FWIW, I really dig this stuff. :) > > Sean > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From Volker at englisch.us Mon Nov 6 06:31:25 2006 From: Volker at englisch.us (Volker Englisch) Date: Mon, 06 Nov 2006 01:31:25 -0500 Subject: Permission denied for public_html Message-ID: <454ED6BD.3000900@Englisch.us> Hi, I recently installed FC6 on a x86_64 box and I was trying to modify SELinux so that I could use Samba and HTTP access to the public_html directory within the user home directories but can not get this to work. Whenever I'm accessing the user website via http://mydomain.us/~user I am getting a 403 Permission Denied error. However, everything is working OK when I turn of SELinux enforcement. I've followed these instructions http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-public_html to set up the public_html directories but I'm still getting the 403 error. Any suggestions on how to best trouble-shoot this problem? -- Thanks Volker Englisch mailto:Volker at Englisch.us (h) From paul at city-fan.org Mon Nov 6 09:05:07 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 06 Nov 2006 09:05:07 +0000 Subject: Permission denied for public_html In-Reply-To: <454ED6BD.3000900@Englisch.us> References: <454ED6BD.3000900@Englisch.us> Message-ID: <1162803907.10320.1.camel@metropolis.intra.city-fan.org> On Mon, 2006-11-06 at 01:31 -0500, Volker Englisch wrote: > Hi, > > I recently installed FC6 on a x86_64 box and I was trying to modify > SELinux so that I could use Samba and HTTP access to the public_html > directory within the user home directories but can not get this to work. > Whenever I'm accessing the user website via > http://mydomain.us/~user > I am getting a 403 Permission Denied error. However, everything is > working OK when I turn of SELinux enforcement. > > I've followed these instructions > http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-public_html > to set up the public_html directories but I'm still getting the 403 error. > > Any suggestions on how to best trouble-shoot this problem? Try these settings first: # setsebool -P httpd_enable_homedirs 1 # setsebool -P samba_enable_home_dirs 1 Paul. From robin-lists at robinbowes.com Mon Nov 6 12:07:26 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Mon, 06 Nov 2006 12:07:26 +0000 Subject: denied {search} pam_console_app Message-ID: Hi, I'm seeing a whole raft of these msgs at boot: audit(1162812576.696:158): avc: denied { search } for pid=523 comm="pam_console_app" name="var" dev=dm-0 ino=229377 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir audit2allow suggests this to fix: allow pam_console_t file_t:dir search; My question: Is this the right fix? Or is there some chcon magic I can do? R. From sds at tycho.nsa.gov Mon Nov 6 13:50:03 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 06 Nov 2006 08:50:03 -0500 Subject: Need help for midterm project/presentation (FC5 & SELinux) In-Reply-To: References: Message-ID: <1162821003.5519.264.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2006-11-05 at 12:33 -0700, Leffler, Sean wrote: > So I volunteered (!?!?!) to give a presentation on SELinux for my > midtem project. > At the time I thought 'cool, how hard can this be.' (ok, you can stop > laughing now) > > So now I'm a bit panic'd. I picked up the Oreilly's book and the other > one SELinux by example. > The pickle I'm in is that the class is using FC5 and both books were > written for earlier versions and its befuddling me. The O'Reilly book is old (written during FC2 development, IIRC), but the SELinux by Example book is quite recent and included material on both the older approach (example policy, monolithic) and the newer approach incorporated into FC5 (reference policy, modular). > So I thought I would beg on this list for a few examples I could > present to the class on how to do some basic policy stuff. > Like here is a new widget and this is how you modify permissions to > make it work, yada yada. Nothing major just simple stuff like that. (I > will touch on the targeted policy for the big daemons/services but I > wanted to show how you might tackle a problem that was not part of the > targeted list.) > > I have been reading everything I can find on FC5/SELinux but I've just > run out of time. > So any help would be appreciated, and FWIW, I really dig this > stuff. :) http://fedoraproject.org/wiki/SELinux/ http://fedora.redhat.com/docs/selinux-faq-fc5/ You want to install selinux-policy-devel and checkpolicy to build loadable policy modules. /usr/share/selinux/devel/policygentool is a simple script for creating an initial stub for a policy module. audit2allow is a tool for blindly generating policy from audit messages, but you obviously want to exert care in using it. If you like IDEs, then you might try SLIDE, http://oss.tresys.com/projects/slide -- Stephen Smalley National Security Agency From Volker at englisch.us Mon Nov 6 14:18:42 2006 From: Volker at englisch.us (Volker Englisch) Date: Mon, 06 Nov 2006 09:18:42 -0500 Subject: Permission denied for public_html In-Reply-To: <1162803907.10320.1.camel@metropolis.intra.city-fan.org> References: <454ED6BD.3000900@Englisch.us> <1162803907.10320.1.camel@metropolis.intra.city-fan.org> Message-ID: <454F4442.8060701@Englisch.us> On 11/06/2006 04:05 AM Paul Howarth wrote: > Try these settings first: > > # setsebool -P httpd_enable_homedirs 1 > # setsebool -P samba_enable_home_dirs 1 > > Paul. > I had set these values in order to get samba to work. In fact, at some point I thought I did have both samba and http access to the public_html directory working but when I made additional changes trying to allow a cgi script to write to a directory I must have messed up the access to the user websites. By the way, access to the main website http://mydomain.us/ works without problems. Thanks Volker Englisch From fedora at grifent.com Mon Nov 6 19:08:33 2006 From: fedora at grifent.com (John Griffiths) Date: Mon, 06 Nov 2006 14:08:33 -0500 Subject: Permission denied for public_html In-Reply-To: <20061106170012.30B1673C6D@hormel.redhat.com> References: <20061106170012.30B1673C6D@hormel.redhat.com> Message-ID: <454F8831.6040905@grifent.com> > Subject: > Re: Permission denied for public_html > From: > Volker Englisch > Date: > Mon, 06 Nov 2006 09:18:42 -0500 > To: > Paul Howarth > > To: > Paul Howarth > CC: > fedora-selinux-list at redhat.com > > > On 11/06/2006 04:05 AM Paul Howarth wrote: >> Try these settings first: >> >> # setsebool -P httpd_enable_homedirs 1 >> # setsebool -P samba_enable_home_dirs 1 >> >> Paul. >> > > I had set these values in order to get samba to work. In fact, at > some point I thought I did have both samba and http access to the > public_html directory working but when I made additional changes > trying to allow a cgi script to write to a directory I must have > messed up the access to the user websites. > The context of the directory has to be public_content_rw_t for both Samba and httpd to access it. Regards, John Griffiths > By the way, access to the main website > http://mydomain.us/ > works without problems. > > Thanks > > Volker Englisch > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From Volker at englisch.us Mon Nov 6 20:03:27 2006 From: Volker at englisch.us (Volker Englisch) Date: Mon, 06 Nov 2006 15:03:27 -0500 Subject: Permission denied for public_html In-Reply-To: <454F8831.6040905@grifent.com> References: <20061106170012.30B1673C6D@hormel.redhat.com> <454F8831.6040905@grifent.com> Message-ID: <454F950F.7060800@Englisch.us> on 11/6/2006 2:08 PM John Griffiths said the following: >> I had set these values in order to get samba to work. In fact, at >> some point I thought I did have both samba and http access to the >> public_html directory working but when I made additional changes >> trying to allow a cgi script to write to a directory I must have >> messed up the access to the user websites. >> > The context of the directory has to be public_content_rw_t for both > Samba and httpd to access it. I actually did have this context set this way in the beginning but now I would be happy if I could just access the user web pages again. That's why I had changed it back to httpd_sys_content_t. Here is the context of the directory (after changing the context back to public_content_rw_t: [root] ls -dZ public_html drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t public_html/ PWD=/home/kate [root] ls -Z public_html drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t images/ -rw-rw-r-- kate webedit user_u:object_r:public_content_rw_t index.html drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t pics/ drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t Themes/ [root] getsebool -a | grep enable_home httpd_enable_homedirs --> on samba_enable_home_dirs --> on spamd_enable_home_dirs --> on [root] getenforce Enforcing And the output from the /var/log/messages file when accessing the web page: ... Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72017): avc: denied { search } for pid=31270 comm="httpd" name="kate" dev=sda5 ino=14942209 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72018): avc: denied { getattr } for pid=31270 comm="httpd" name="kate" dev=sda5 ino=14942209 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir ... From all that I know everything looks good but maybe someone else can see what is wrong with my setup. Thanks Volker Englisch From dwalsh at redhat.com Mon Nov 6 20:33:10 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 06 Nov 2006 15:33:10 -0500 Subject: setsebool sandbox error on FC6 In-Reply-To: <1162473901.22051.3.camel@moss-spartans.epoch.ncsc.mil> References: <4549D03F.5000606@levelogic.com> <1162473901.22051.3.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <454F9C06.3010700@redhat.com> Stephen Smalley wrote: > (please disable html mail at least when posting to public lists) > > On Thu, 2006-11-02 at 03:02 -0800, Arthur M. Kang wrote: > >> On a fresh install of FC6, I'm getting errors when trying to use the >> setsebool command. >> >> # setsebool httpd_disable_trans 1 >> libsemanage.semanage_commit_sandbox: Error while >> renaming /etc/selinux/targeted/modules/active >> to /etc/selinux/targeted/modules/previous. >> Could not change policy booleans >> > > This usually means that there is a labeling problem with /etc/selinux. > Run /sbin/restorecon -R /etc/selinux/targeted/modules. Then try again. > Check for audit messages in /var/log/messages > or /var/log/audit/audit.log (the latter if running auditd). > > > >> Has anyone else experienced similar problems? Is there a problem on >> my end? Is there a fix? >> >> Although the error message is generated, the boolean does get set. >> However, the -P switch doesn't work and the boolean won't stick across >> reboots. >> >> Is there an alternate method to remotely configure booleans that stick >> across reboots? >> >> Any help is appreciated. >> > > I have seen this happen on a couple of machines. We are missing a transition from initrc_t to semanage_t for targeted policy which could result in a init script that calls setsebool (ypbind) or one of the other apps to screw up the file context. Also if you run in permissive mode and did not transition properly when updated rpm's this could happen. If there is an application that uses libsemanage that is not labeled semanage_exec_t, or an unconfined_domain that runs semanage without the transition. Not sure of any other situations that could cause this. Dan From dwalsh at redhat.com Mon Nov 6 20:37:38 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 06 Nov 2006 15:37:38 -0500 Subject: SELinux is preventing /usr/sbin/groupadd In-Reply-To: <20061105112424.71ad2380@david.hill.bnb> References: <20061105112424.71ad2380@david.hill.bnb> Message-ID: <454F9D12.3020709@redhat.com> Norm wrote: > I am sure the explanation and information is clear enough in the > Setroubleshoot browser report but the catch is I don't understand it > nor can seem to figure out what to do to stop the problem "SELinux is > preventing /usr/sbin/groupadd(useradd_t) "sys_tty_config" to > (groupadd_t)" I appreciate that it could be an intrusion attempt but > that is unlikely and as it occur ed when I was not on the computer I > assume it is part of a cron process or similar. > How do I deal with it? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Did groupadd succeed? Could you attach the avc message from /var/log/audit/audit.log? Dan From dwalsh at redhat.com Mon Nov 6 20:48:53 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 06 Nov 2006 15:48:53 -0500 Subject: denied {search} pam_console_app In-Reply-To: References: Message-ID: <454F9FB5.6030706@redhat.com> Robin Bowes wrote: > Hi, > > I'm seeing a whole raft of these msgs at boot: > > audit(1162812576.696:158): avc: denied { search } for pid=523 > comm="pam_console_app" name="var" dev=dm-0 ino=229377 > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 > tcontext=system_u:object_r:file_t:s0 tclass=dir > > audit2allow suggests this to fix: > > allow pam_console_t file_t:dir search; > > My question: > > Is this the right fix? Or is there some chcon magic I can do? > > R. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > You have a separate /var partition. and the /var directory that resides under the mounted /var is labeled incorrectly. This is a problem with the installer that does not label it correctly. Not sure why pam_console is reporting these. 1. You can boot single user mode without /var mounted and restorecon /var 2. Add a loadable module with the line in it files_dontaudit_search_isid_type_dirs(pam_console_t) 3. Wait for the next policy update to get that line. From robin-lists at robinbowes.com Mon Nov 6 21:04:32 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Mon, 06 Nov 2006 21:04:32 +0000 Subject: denied {search} pam_console_app In-Reply-To: <454F9FB5.6030706@redhat.com> References: <454F9FB5.6030706@redhat.com> Message-ID: Daniel J Walsh wrote: > You have a separate /var partition. and the /var directory that resides > under the mounted /var is labeled incorrectly. This is a problem with > the installer that does not label it correctly. Not sure why > pam_console is reporting these. > > 1. You can boot single user mode without /var mounted and restorecon /var > 2. Add a loadable module with the line in it > files_dontaudit_search_isid_type_dirs(pam_console_t) > 3. Wait for the next policy update to get that line. Thanks. Will probably try option (1). Any idea when the next policy update will come along? R. From fedora at grifent.com Mon Nov 6 21:34:52 2006 From: fedora at grifent.com (John Griffiths) Date: Mon, 06 Nov 2006 16:34:52 -0500 Subject: Permission denied for public_html In-Reply-To: <454F950F.7060800@Englisch.us> References: <20061106170012.30B1673C6D@hormel.redhat.com> <454F8831.6040905@grifent.com> <454F950F.7060800@Englisch.us> Message-ID: <454FAA7C.5010502@grifent.com> Volker Englisch wrote: > on 11/6/2006 2:08 PM John Griffiths said the following: >>> I had set these values in order to get samba to work. In fact, at >>> some point I thought I did have both samba and http access to the >>> public_html directory working but when I made additional changes >>> trying to allow a cgi script to write to a directory I must have >>> messed up the access to the user websites. >>> >> The context of the directory has to be public_content_rw_t for both >> Samba and httpd to access it. > > I actually did have this context set this way in the beginning but now > I would be happy if I could just access the user web pages again. > That's why I had changed it back to httpd_sys_content_t. > > Here is the context of the directory (after changing the context back > to public_content_rw_t: > > [root] ls -dZ public_html > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t > public_html/ > PWD=/home/kate > [root] ls -Z public_html > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t images/ > -rw-rw-r-- kate webedit user_u:object_r:public_content_rw_t index.html > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t pics/ > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t Themes/ > > [root] getsebool -a | grep enable_home > httpd_enable_homedirs --> on > samba_enable_home_dirs --> on > spamd_enable_home_dirs --> on > > [root] getenforce > Enforcing > > And the output from the /var/log/messages file when accessing the web > page: > ... > Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72017): avc: > denied { search } for pid=31270 comm="httpd" name="kate" dev=sda5 > ino=14942209 scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72018): avc: > denied { getattr } for pid=31270 comm="httpd" name="kate" dev=sda5 > ino=14942209 scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > ... > The context is showing up as user_home_t , not public_content_rw_t. When you changed the context, did you only do the directory or recursively so the contents also got the context? Regards, John > > From all that I know everything looks good but maybe someone else can > see what is wrong with my setup. > > > Thanks > > Volker Englisch > From Volker at englisch.us Mon Nov 6 21:52:35 2006 From: Volker at englisch.us (Volker Englisch) Date: Mon, 06 Nov 2006 16:52:35 -0500 Subject: Permission denied for public_html In-Reply-To: <454FAA7C.5010502@grifent.com> References: <20061106170012.30B1673C6D@hormel.redhat.com> <454F8831.6040905@grifent.com> <454F950F.7060800@Englisch.us> <454FAA7C.5010502@grifent.com> Message-ID: <454FAEA3.3020706@Englisch.us> on 11/6/2006 4:34 PM John Griffiths said the following: >> And the output from the /var/log/messages file when accessing the web >> page: >> ... >> Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72017): avc: >> denied { search } for pid=31270 comm="httpd" name="kate" dev=sda5 >> ino=14942209 scontext=user_u:system_r:httpd_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=dir >> Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72018): avc: >> denied { getattr } for pid=31270 comm="httpd" name="kate" dev=sda5 >> ino=14942209 scontext=user_u:system_r:httpd_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=dir >> ... >> > The context is showing up as user_home_t , not public_content_rw_t. When > you changed the context, did you only do the directory or recursively so > the contents also got the context? Yes, I did it recursively using chcon -R -t public_content_rw_t /home/kate/public_html Thanks Volker Englisch From knute at frazmtn.com Tue Nov 7 05:52:53 2006 From: knute at frazmtn.com (Knute Johnson) Date: Mon, 06 Nov 2006 21:52:53 -0800 Subject: Setting up a samba share? Message-ID: <454FAEB5.26460.13E831@knute.frazmtn.com> I'm setting up a samba share on my new FC6 install that will be public with no password required. Just like an unmolested Windows share. I found an article that said to put the selinux context description in /etc/selinux/targeted/contexts/files/file_contexts.local. My shared directory is /var/share. I put the line: /var/share(/.*)? system_u:object_r:samba_share_t in that file. Is this the correct way to make this change and make it permanent? Will this do what it is supposed to do? This is selinux related but why does the directory have to be world executable to make this work? Thanks very much, -- Knute Johnson Molon Labe... From paul at city-fan.org Tue Nov 7 08:37:17 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 07 Nov 2006 08:37:17 +0000 Subject: Setting up a samba share? In-Reply-To: <454FAEB5.26460.13E831@knute.frazmtn.com> References: <454FAEB5.26460.13E831@knute.frazmtn.com> Message-ID: <1162888637.2770.4.camel@metropolis.intra.city-fan.org> On Mon, 2006-11-06 at 21:52 -0800, Knute Johnson wrote: > I'm setting up a samba share on my new FC6 install that will be > public with no password required. Just like an unmolested Windows > share. > > I found an article that said to put the selinux context description > in /etc/selinux/targeted/contexts/files/file_contexts.local. > > My shared directory is /var/share. I put the line: > > /var/share(/.*)? system_u:object_r:samba_share_t > > in that file. > > Is this the correct way to make this change and make it permanent? > Will this do what it is supposed to do? Since FC5 the way to do this is not by editing file_contexts.local but by using semanage: # semanage fcontext -a -t samba_share_t '/var/share(/.*)?' Having changed policy by doing this, the context types of the files themselves still need changing: # restorecon -r /var/share > This is selinux related but why does the directory have to be world > executable to make this work? Directories need to be executable in order to list their contents, don't they? Paul. From paul at city-fan.org Tue Nov 7 11:16:27 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 07 Nov 2006 11:16:27 +0000 Subject: Permission denied for public_html In-Reply-To: <454F950F.7060800@Englisch.us> References: <20061106170012.30B1673C6D@hormel.redhat.com> <454F8831.6040905@grifent.com> <454F950F.7060800@Englisch.us> Message-ID: <45506B0B.8090301@city-fan.org> Volker Englisch wrote: > on 11/6/2006 2:08 PM John Griffiths said the following: >>> I had set these values in order to get samba to work. In fact, at >>> some point I thought I did have both samba and http access to the >>> public_html directory working but when I made additional changes >>> trying to allow a cgi script to write to a directory I must have >>> messed up the access to the user websites. >>> >> The context of the directory has to be public_content_rw_t for both >> Samba and httpd to access it. > > I actually did have this context set this way in the beginning but now I > would be happy if I could just access the user web pages again. That's > why I had changed it back to httpd_sys_content_t. > > Here is the context of the directory (after changing the context back to > public_content_rw_t: > > [root] ls -dZ public_html > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t > public_html/ > PWD=/home/kate > [root] ls -Z public_html > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t images/ > -rw-rw-r-- kate webedit user_u:object_r:public_content_rw_t index.html > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t pics/ > drwxr-xr-x kate webedit user_u:object_r:public_content_rw_t Themes/ > > [root] getsebool -a | grep enable_home > httpd_enable_homedirs --> on > samba_enable_home_dirs --> on > spamd_enable_home_dirs --> on > > [root] getenforce > Enforcing > > And the output from the /var/log/messages file when accessing the web page: > ... > Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72017): avc: denied > { search } for pid=31270 comm="httpd" name="kate" dev=sda5 > ino=14942209 scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72018): avc: denied > { getattr } for pid=31270 comm="httpd" name="kate" dev=sda5 > ino=14942209 scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=dir > ... > > > From all that I know everything looks good but maybe someone else can > see what is wrong with my setup. It looks to me that /home/kate is user_home_t instead of user_home_dir_t. Fixing that should help. Paul. From LEFFLESA at nv.doe.gov Tue Nov 7 14:31:00 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Tue, 7 Nov 2006 07:31:00 -0700 Subject: Need help for midterm project/presentation (FC5 & SELinux) In-Reply-To: <1162821003.5519.264.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Thanks guys. I just d/l slide; probably a bit much for my class to deal with at the moment, but I think I will enjoy using it in the future. Fortunately I only need to give a 30 minute presentation so I should be able to meander my way through it. Thanks again, Sean From selinux at gmail.com Tue Nov 7 14:49:11 2006 From: selinux at gmail.com (Tom London) Date: Tue, 7 Nov 2006 06:49:11 -0800 Subject: gdm logout during selinux-policy-targeted update....? Message-ID: <4c4ba1530611070649u439d7a16w264087f454136d1e@mail.gmail.com> Running rawhide, targeted/enforcing. Running 'yum update' today again (second time) caused a gdm logout in the middle of the update when updating selinux-policy-targeted. Here are the only messages I see: Nov 7 06:12:21 localhost Updated: pirut.noarch 1.2.7-1.fc7 Nov 7 06:12:30 localhost kernel: security: 3 users, 6 roles, 1562 types, 170 bools, 1 sens, 1024 cats Nov 7 06:12:30 localhost kernel: security: 59 classes, 48605 rules Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Nov 7 06:12:30 localhost Updated: selinux-policy-targeted.noarch 2.4.3-1 Nov 7 06:12:30 localhost gconfd (tbl-4169): starting (version 2.16.0), pid 4169 user 'tbl' Logging in, I can run 'rpm -Uvh selinux-policy-targeted' in permissive mode with no problem. Rebooting also seems fine..... Anyone else seeing this? Anyone have guesses on what is causing this? tom -- Tom London From Volker at englisch.us Tue Nov 7 15:53:00 2006 From: Volker at englisch.us (Volker Englisch) Date: Tue, 07 Nov 2006 10:53:00 -0500 Subject: Permission denied for public_html In-Reply-To: <45506B0B.8090301@city-fan.org> References: <20061106170012.30B1673C6D@hormel.redhat.com> <454F8831.6040905@grifent.com> <454F950F.7060800@Englisch.us> <45506B0B.8090301@city-fan.org> Message-ID: <4550ABDC.4020301@Englisch.us> on 11/7/2006 6:16 AM Paul Howarth said the following: >> And the output from the /var/log/messages file when accessing the web >> page: >> ... >> Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72017): avc: >> denied { search } for pid=31270 comm="httpd" name="kate" dev=sda5 >> ino=14942209 scontext=user_u:system_r:httpd_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=dir >> Nov 6 14:48:27 kepler kernel: audit(1162842507.522:72018): avc: >> denied { getattr } for pid=31270 comm="httpd" name="kate" dev=sda5 >> ino=14942209 scontext=user_u:system_r:httpd_t:s0 >> tcontext=user_u:object_r:user_home_t:s0 tclass=dir >> ... >> >> >> From all that I know everything looks good but maybe someone else can >> see what is wrong with my setup. > > It looks to me that /home/kate is user_home_t instead of > user_home_dir_t. Fixing that should help. > > Paul. That's it. After changing the context for /home/kate to user_home_dir_t things started working again. Thanks to everyone for your help! Volker Englisch From rhally at mindspring.com Tue Nov 7 19:03:09 2006 From: rhally at mindspring.com (Richard Hally) Date: Tue, 07 Nov 2006 14:03:09 -0500 Subject: gdm logout during selinux-policy-targeted update....? In-Reply-To: <4c4ba1530611070649u439d7a16w264087f454136d1e@mail.gmail.com> References: <4c4ba1530611070649u439d7a16w264087f454136d1e@mail.gmail.com> Message-ID: <4550D86D.2000801@mindspring.com> Tom London wrote: > Running rawhide, targeted/enforcing. > > Running 'yum update' today again (second time) caused a gdm logout in > the middle of the update when updating selinux-policy-targeted. > > Here are the only messages I see: > > Nov 7 06:12:21 localhost Updated: pirut.noarch 1.2.7-1.fc7 > Nov 7 06:12:30 localhost kernel: security: 3 users, 6 roles, 1562 > types, 170 bools, 1 sens, 1024 cats > Nov 7 06:12:30 localhost kernel: security: 59 classes, 48605 rules > Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC > avc: received policyload notice (seqno=2) : exe="?" (sauid=81, > hostname=?, addr=?, terminal=?) > Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC > avc: received policyload notice (seqno=2) : exe="/bin/dbus-daemon" > (sauid=500, hostname=?, addr=?, terminal=?) > Nov 7 06:12:30 localhost Updated: selinux-policy-targeted.noarch 2.4.3-1 > Nov 7 06:12:30 localhost gconfd (tbl-4169): starting (version > 2.16.0), pid 4169 user 'tbl' > > Logging in, I can run 'rpm -Uvh selinux-policy-targeted' in permissive > mode with no problem. Rebooting also seems fine..... > > Anyone else seeing this? > > Anyone have guesses on what is causing this? > > tom I saw this when you reported it a few days ago but todays update went fine. The actual update of selinux-policy-targeted [51/128] shows a "/sbin/restorecon reset /var/cache/mod_proxy context ..." sorry I can't be more help, Richard From pdmullen at hotmail.com Wed Nov 8 10:49:54 2006 From: pdmullen at hotmail.com (paul mullen) Date: Wed, 08 Nov 2006 10:49:54 +0000 Subject: dd whole disk within SElinux Message-ID: Hi, I need to create a backup image of my system and was going to use dd if=/dev/hda of=/dev/hdb. With SElinux targeted policy enabled will this have any affect on the dd working correctly? New to SElinux so any advise advice is appreciated. Many Thanks Paul _________________________________________________________________ Windows Live? Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb From selinux at gmail.com Wed Nov 8 14:38:52 2006 From: selinux at gmail.com (Tom London) Date: Wed, 8 Nov 2006 06:38:52 -0800 Subject: gdm logout during selinux-policy-targeted update....? In-Reply-To: <4550D86D.2000801@mindspring.com> References: <4c4ba1530611070649u439d7a16w264087f454136d1e@mail.gmail.com> <4550D86D.2000801@mindspring.com> Message-ID: <4c4ba1530611080638g317bf1ffg46e7183033d93e8c@mail.gmail.com> On 11/7/06, Richard Hally wrote: > Tom London wrote: > > Running rawhide, targeted/enforcing. > > > > Running 'yum update' today again (second time) caused a gdm logout in > > the middle of the update when updating selinux-policy-targeted. > > > > Here are the only messages I see: > > > > Nov 7 06:12:21 localhost Updated: pirut.noarch 1.2.7-1.fc7 > > Nov 7 06:12:30 localhost kernel: security: 3 users, 6 roles, 1562 > > types, 170 bools, 1 sens, 1024 cats > > Nov 7 06:12:30 localhost kernel: security: 59 classes, 48605 rules > > Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC > > avc: received policyload notice (seqno=2) : exe="?" (sauid=81, > > hostname=?, addr=?, terminal=?) > > Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC > > avc: received policyload notice (seqno=2) : exe="/bin/dbus-daemon" > > (sauid=500, hostname=?, addr=?, terminal=?) > > Nov 7 06:12:30 localhost Updated: selinux-policy-targeted.noarch 2.4.3-1 > > Nov 7 06:12:30 localhost gconfd (tbl-4169): starting (version > > 2.16.0), pid 4169 user 'tbl' > > > > Logging in, I can run 'rpm -Uvh selinux-policy-targeted' in permissive > > mode with no problem. Rebooting also seems fine..... > > > > Anyone else seeing this? > > > > Anyone have guesses on what is causing this? > > > > tom > I saw this when you reported it a few days ago but todays update went fine. > The actual update of selinux-policy-targeted [51/128] shows a > "/sbin/restorecon reset /var/cache/mod_proxy context ..." > > sorry I can't be more help, > Richard > Being the nervous type, I set permissive mode and separately 'yum updated' selinux-policy\* for today's update. No problems. tom -- Tom London From lindafinch1 at hotmail.co.uk Wed Nov 8 15:31:51 2006 From: lindafinch1 at hotmail.co.uk (Linda Finch) Date: Wed, 08 Nov 2006 15:31:51 +0000 Subject: New SELinux User Message-ID: I am trying to get up to speed with SELinux however as I am also a novice Linux user (my OS knowledge has been with other systems) this is a very steep learning curve! To ease the pain, I purchased the SELinux by example book and have been trying to work through the example policy module for the IRC daemon. I set up a standard FC4 workstation with the required strict src policy, IRC etc and proceeded to follow through the book however I cannot get it to compile. When I enter the make && make install && make load command I get the following error: make && make install && make load /usr/bin/checkpolicy -o policy.21 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf domains/program/ircd.te:28:ERROR 'duplicate declaration of type/attribute' at token ';' on line 290384: type ircd_log_t, file_type, sysadmfile, logfile; #line 28 checkpolicy: error(s) encountered while parsing configuration make: *** [policy.21] Error 1 I've double checked the ircd.te file, looked at the policy.conf file and can't see anything wrong. Is this error immediately obvious to anyone (without knowing the example in the book of course!)? If so, please help! Apologies if there is something simple that I've not done - as I say, I'm a novice user! I've also had a go with the reference policy example in the book for FC5 and couldn't get that to compile either. That gives an error with the generated_definitions.conf file. I downloaded the most uptodate version of the refpolicy from Tresys' site but maybe there are other patches I need? Again, this was a std FC5 install. Thanks in advance Linda _________________________________________________________________ The new Windows Live Toolbar helps you guard against viruses http://toolbar.live.com/?mkt=en-gb From kmacmill at redhat.com Wed Nov 8 15:35:29 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Wed, 08 Nov 2006 10:35:29 -0500 Subject: dd whole disk within SElinux In-Reply-To: References: Message-ID: <1163000129.24127.2.camel@localhost.localdomain> On Wed, 2006-11-08 at 10:49 +0000, paul mullen wrote: > Hi, > > I need to create a backup image of my system and was going to use dd > if=/dev/hda of=/dev/hdb. > With SElinux targeted policy enabled will this have any affect on the dd > working correctly? > New to SElinux so any advise advice is appreciated. > Not certain whether you are asking if the command will be allowed to run or if the resulting backup will be valid. Either way, I don't know of any reason why this wouldn't work. Karl From kmacmill at redhat.com Wed Nov 8 15:47:19 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Wed, 08 Nov 2006 10:47:19 -0500 Subject: New SELinux User In-Reply-To: References: Message-ID: <1163000839.24127.9.camel@localhost.localdomain> On Wed, 2006-11-08 at 15:31 +0000, Linda Finch wrote: > I am trying to get up to speed with SELinux however as I am also a novice > Linux user (my OS knowledge has been with other systems) this is a very > steep learning curve! To ease the pain, I purchased the SELinux by example > book and have been trying to work through the example policy module for the > IRC daemon. > > I set up a standard FC4 workstation with the required strict src policy, IRC > etc and proceeded to follow through the book however I cannot get it to > compile. When I enter the make && make install && make load command I get > the following error: > > make && make install && make load > /usr/bin/checkpolicy -o policy.21 policy.conf > /usr/bin/checkpolicy: loading policy configuration from policy.conf > domains/program/ircd.te:28:ERROR 'duplicate declaration of type/attribute' > at token ';' on line 290384: > type ircd_log_t, file_type, sysadmfile, logfile; > #line 28 > checkpolicy: error(s) encountered while parsing configuration > make: *** [policy.21] Error 1 > The compiler is saying that this type has already been declared. Make certain that you did not accidentally include this line twice. It is also possible that the strict policy that you are using already has a policy for the ircd daemon (I don't have an FC4 system to check the latest policy). You can grep through the policy modules to see if this type is declared in another module - run this command in domains/program: grep "type ircd_log_t *.te That should show you the file names of all the files that contain the phrase "type ircd_log_t". If there is another policy module declaring this type you can disable it by moving it and its corresponding .fc file to the unused directories in domains/program and file_contexts. > > I've double checked the ircd.te file, looked at the policy.conf file and > can't see anything wrong. Is this error immediately obvious to anyone > (without knowing the example in the book of course!)? If so, please help! > Apologies if there is something simple that I've not done - as I say, I'm a > novice user! I've also had a go with the reference policy example in the > book for FC5 and couldn't get that to compile either. That gives an error > with the generated_definitions.conf file. I downloaded the most uptodate > version of the refpolicy from Tresys' site but maybe there are other patches > I need? Again, this was a std FC5 install. > Can you give a more detailed error message here? Karl From LEFFLESA at nv.doe.gov Wed Nov 8 17:54:36 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Wed, 8 Nov 2006 10:54:36 -0700 Subject: New SELinux User In-Reply-To: <20061108170016.283D37380A@hormel.redhat.com> Message-ID: I don't know if this will fix your FC5 problems, but its worth a shot. I found mine worked after I upgraded these two files. (I was actually trying to make setools work with the new policy.21) After I was done updating stuff, my refpolicy actually compiled. :) policycoreutils 1.32 or higher libsemanage (1.6.17 I think is the latest?) Policycoreutils and libsemanage are available on the development repo's, so run something like this to gain access to these updates/upgrades yum --enablerepo=development --enablerepo=extras-development install libesemanage yum --enablerepo=development --enablerepo=extras-development install policycoreutils Run 'make clean' before retrying your refpolicy compile. Fellow struggling new user, Sean -----Original Message----- I've also had a go with the reference policy example in the book for FC5 and couldn't get that to compile either. That gives an error with the generated_definitions.conf file. I downloaded the most uptodate version of the refpolicy from Tresys' site but maybe there are other patches I need? Again, this was a std FC5 install. From knute at frazmtn.com Wed Nov 8 19:38:24 2006 From: knute at frazmtn.com (Knute Johnson) Date: Wed, 08 Nov 2006 11:38:24 -0800 Subject: Setting up a samba share? In-Reply-To: <1162888637.2770.4.camel@metropolis.intra.city-fan.org> References: <454FAEB5.26460.13E831@knute.frazmtn.com>, <1162888637.2770.4.camel@metropolis.intra.city-fan.org> Message-ID: <4551C1B0.8174.9E5E6B@knute.frazmtn.com> >On Mon, 2006-11-06 at 21:52 -0800, Knute Johnson wrote: >> I'm setting up a samba share on my new FC6 install that will be >> public with no password required. Just like an unmolested Windows >> share. >> >> I found an article that said to put the selinux context description >> in /etc/selinux/targeted/contexts/files/file_contexts.local. >> >> My shared directory is /var/share. I put the line: >> >> /var/share(/.*)? system_u:object_r:samba_share_t >> >> in that file. >> >> Is this the correct way to make this change and make it permanent? >> Will this do what it is supposed to do? > >Since FC5 the way to do this is not by editing file_contexts.local but >by using semanage: > ># semanage fcontext -a -t samba_share_t '/var/share(/.*)?' > >Having changed policy by doing this, the context types of the files >themselves still need changing: > semanage just creates the file_contexts.local file with the same thing in it that I had. What difference does it make to edit the file or use semanage? Thanks, -- Knute Johnson Molon Labe... From kmacmill at redhat.com Wed Nov 8 20:14:17 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Wed, 08 Nov 2006 15:14:17 -0500 Subject: Setting up a samba share? In-Reply-To: <4551C1B0.8174.9E5E6B@knute.frazmtn.com> References: <454FAEB5.26460.13E831@knute.frazmtn.com> , <1162888637.2770.4.camel@metropolis.intra.city-fan.org> <4551C1B0.8174.9E5E6B@knute.frazmtn.com> Message-ID: <1163016857.26513.8.camel@localhost.localdomain> On Wed, 2006-11-08 at 11:38 -0800, Knute Johnson wrote: > >On Mon, 2006-11-06 at 21:52 -0800, Knute Johnson wrote: > >> I'm setting up a samba share on my new FC6 install that will be > >> public with no password required. Just like an unmolested Windows > >> share. > >> > >> I found an article that said to put the selinux context description > >> in /etc/selinux/targeted/contexts/files/file_contexts.local. > >> > >> My shared directory is /var/share. I put the line: > >> > >> /var/share(/.*)? system_u:object_r:samba_share_t > >> > >> in that file. > >> > >> Is this the correct way to make this change and make it permanent? > >> Will this do what it is supposed to do? > > > >Since FC5 the way to do this is not by editing file_contexts.local but > >by using semanage: > > > ># semanage fcontext -a -t samba_share_t '/var/share(/.*)?' > > > >Having changed policy by doing this, the context types of the files > >themselves still need changing: > > > > semanage just creates the file_contexts.local file with the same > thing in it that I had. What difference does it make to edit the > file or use semanage? > 1) The tool helps avoid mistakes. 2) It is possible to roll back changes. 3) Future policies may disallow editing of this file directly (and others in that directory) as it is security sensitive and should be protected. 4) Future tools for managing policies on multiple machines will require the use of semanage. But, for now, it makes no difference. Karl From LEFFLESA at nv.doe.gov Wed Nov 8 20:47:40 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Wed, 8 Nov 2006 13:47:40 -0700 Subject: APOL and Fake Attributes Message-ID: (not sure if this is the best list to ask this, but here goes...) Running FC5 and SeTools 3.0. When I load any policy in apol, they always show up w/ fake attributes because "names are not stored in binary format." So how do i get these to show up like they do in the book & screenshots. thanks, Sean Leffler NSTec -------------- next part -------------- An HTML attachment was scrubbed... URL: From bruno at wolff.to Wed Nov 8 21:39:53 2006 From: bruno at wolff.to (Bruno Wolff III) Date: Wed, 8 Nov 2006 15:39:53 -0600 Subject: dd whole disk within SElinux In-Reply-To: References: Message-ID: <20061108213953.GA5459@wolff.to> On Wed, Nov 08, 2006 at 10:49:54 +0000, paul mullen wrote: > Hi, > > I need to create a backup image of my system and was going to use dd > if=/dev/hda of=/dev/hdb. > With SElinux targeted policy enabled will this have any affect on the dd > working correctly? > New to SElinux so any advise advice is appreciated. I have used dd to copy data from raw partitions under the targetted selinux policy in enforcing mode in fc5. This should be easy for you to test if /dev/hdb is currently a scratch device. From Volker at englisch.us Thu Nov 9 06:03:03 2006 From: Volker at englisch.us (Volker Englisch) Date: Thu, 09 Nov 2006 01:03:03 -0500 Subject: AVC denied for Spamassassin Message-ID: <4552C497.4030403@Englisch.us> I have a lot of avc messages in my log file indicating a problem with spamassassin/mqueue. I am running FC6 with a standard installation and don't know why there is a problem with the directory /var/spool/mqueue. $ ls -Zd mqueue drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/ Do I need to change the context for this directory? Below are some of the messages from my log file: Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: denied { search } for pid=14530 comm="spamassassin" name="mqueue" dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: denied { search } for pid=14530 comm="spamassassin" name="mqueue" dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: denied { search } for pid=14530 comm="spamassassin" name="mqueue" dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: denied { search } for pid=14530 comm="spamassassin" name="mqueue" dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir -- Thanks Volker Englisch From paul at city-fan.org Thu Nov 9 08:38:55 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 09 Nov 2006 08:38:55 +0000 Subject: AVC denied for Spamassassin In-Reply-To: <4552C497.4030403@Englisch.us> References: <4552C497.4030403@Englisch.us> Message-ID: <1163061535.19227.7.camel@metropolis.intra.city-fan.org> On Thu, 2006-11-09 at 01:03 -0500, Volker Englisch wrote: > I have a lot of avc messages in my log file indicating a problem with > spamassassin/mqueue. > I am running FC6 with a standard installation and don't know why there > is a problem with the directory /var/spool/mqueue. > $ ls -Zd mqueue > drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/ > > Do I need to change the context for this directory? > > Below are some of the messages from my log file: > > Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir > Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir > Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir > Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Are you running /usr/bin/spamassassin from procmail? Things may improve from both an SELinux and performance perspective if you use /usr/bin/spamc instead. Paul. From dwalsh at redhat.com Thu Nov 9 13:04:15 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Nov 2006 08:04:15 -0500 Subject: AVC denied for Spamassassin In-Reply-To: <4552C497.4030403@Englisch.us> References: <4552C497.4030403@Englisch.us> Message-ID: <4553274F.2000708@redhat.com> Volker Englisch wrote: > I have a lot of avc messages in my log file indicating a problem with > spamassassin/mqueue. > I am running FC6 with a standard installation and don't know why there > is a problem with the directory /var/spool/mqueue. > $ ls -Zd mqueue > drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/ > > Do I need to change the context for this directory? > > Below are some of the messages from my log file: > > Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir > Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir > Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir > Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: > denied { search } for pid=14530 comm="spamassassin" name="mqueue" > dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir > Does procmail need to read this directory? Does procmail need to be able to write this directory? From dwalsh at redhat.com Thu Nov 9 13:13:48 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 09 Nov 2006 08:13:48 -0500 Subject: AVC denied for Spamassassin In-Reply-To: <4553274F.2000708@redhat.com> References: <4552C497.4030403@Englisch.us> <4553274F.2000708@redhat.com> Message-ID: <4553298C.9020302@redhat.com> Daniel J Walsh wrote: > Volker Englisch wrote: >> I have a lot of avc messages in my log file indicating a problem with >> spamassassin/mqueue. >> I am running FC6 with a standard installation and don't know why >> there is a problem with the directory /var/spool/mqueue. >> $ ls -Zd mqueue >> drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/ >> >> Do I need to change the context for this directory? >> >> Below are some of the messages from my log file: >> >> Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> > Does procmail need to read this directory? > Does procmail need to be able to write this directory? > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list In policy there is a dontaudit rule ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) ') But we don't have hide_broken_symptons turned on right now. So I guess this has been seen before but has been deemed broken behaviour from a SELinux point of view. From cpebenito at tresys.com Thu Nov 9 13:20:43 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 09 Nov 2006 08:20:43 -0500 Subject: APOL and Fake Attributes In-Reply-To: References: Message-ID: <1163078443.18181.74.camel@sgc> On Wed, 2006-11-08 at 13:47 -0700, Leffler, Sean wrote: > Running FC5 and SeTools 3.0. > When I load any policy in apol, they always show up w/ fake attributes > because "names are not stored in binary format." > So how do i get these to show up like they do in the book & > screenshots. Currently you can only get the real names if you have the source policy, which isn't installed on FC systems. So you'd need to get the policy sources and generate a policy.conf to get the real names right now. The next major SETools release will support loading the modules, which have the real attributes, but that won't be available until the end of Q1 or early Q2 next year. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From Volker at englisch.us Thu Nov 9 15:31:53 2006 From: Volker at englisch.us (Volker Englisch) Date: Thu, 09 Nov 2006 10:31:53 -0500 Subject: AVC denied for Spamassassin In-Reply-To: <4553274F.2000708@redhat.com> References: <4552C497.4030403@Englisch.us> <4553274F.2000708@redhat.com> Message-ID: <455349E9.4050303@Englisch.us> on 11/9/2006 8:04 AM Daniel J Walsh said the following: > Volker Englisch wrote: >> I have a lot of avc messages in my log file indicating a problem with >> spamassassin/mqueue. >> I am running FC6 with a standard installation and don't know why there >> is a problem with the directory /var/spool/mqueue. >> $ ls -Zd mqueue >> drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/ >> >> Do I need to change the context for this directory? >> >> Below are some of the messages from my log file: >> >> Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> > Does procmail need to read this directory? > Does procmail need to be able to write this directory? > I honestly don't know. I haven't done any customization to procmail and until I saw these messages I wasn't even aware of the existence of the directory. The directory itself is empty but procmail itself must be using the mqueue directory internally or there wouldn't be these messages. Thanks Volker From lindafinch1 at hotmail.co.uk Thu Nov 9 16:39:30 2006 From: lindafinch1 at hotmail.co.uk (Linda Finch) Date: Thu, 09 Nov 2006 16:39:30 +0000 Subject: New SELinux User In-Reply-To: Message-ID: Will give that a try! thanks Sean >From: "Leffler, Sean" >To: fedora-selinux-list at redhat.com,lindafinch1 at hotmail.co.uk >Subject: RE: New SELinux User >Date: Wed, 8 Nov 2006 10:54:36 -0700 > >I don't know if this will fix your FC5 problems, but its worth a shot. > >I found mine worked after I upgraded these two files. (I was actually >trying to make setools work with the new policy.21) >After I was done updating stuff, my refpolicy actually compiled. :) > >policycoreutils 1.32 or higher >libsemanage (1.6.17 I think is the latest?) > >Policycoreutils and libsemanage are available on the development repo's, >so run something like this to gain access to these updates/upgrades > >yum --enablerepo=development --enablerepo=extras-development install >libesemanage >yum --enablerepo=development --enablerepo=extras-development install >policycoreutils > >Run 'make clean' before retrying your refpolicy compile. > >Fellow struggling new user, >Sean > > > >-----Original Message----- > I've also had a go with the reference policy example in the >book for FC5 and couldn't get that to compile either. That gives an >error >with the generated_definitions.conf file. I downloaded the most >uptodate >version of the refpolicy from Tresys' site but maybe there are other >patches >I need? Again, this was a std FC5 install. _________________________________________________________________ Windows Live? Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb From lindafinch1 at hotmail.co.uk Thu Nov 9 16:39:30 2006 From: lindafinch1 at hotmail.co.uk (Linda Finch) Date: Thu, 09 Nov 2006 16:39:30 +0000 Subject: New SELinux User In-Reply-To: Message-ID: Will give that a try! thanks Sean >From: "Leffler, Sean" >To: fedora-selinux-list at redhat.com,lindafinch1 at hotmail.co.uk >Subject: RE: New SELinux User >Date: Wed, 8 Nov 2006 10:54:36 -0700 > >I don't know if this will fix your FC5 problems, but its worth a shot. > >I found mine worked after I upgraded these two files. (I was actually >trying to make setools work with the new policy.21) >After I was done updating stuff, my refpolicy actually compiled. :) > >policycoreutils 1.32 or higher >libsemanage (1.6.17 I think is the latest?) > >Policycoreutils and libsemanage are available on the development repo's, >so run something like this to gain access to these updates/upgrades > >yum --enablerepo=development --enablerepo=extras-development install >libesemanage >yum --enablerepo=development --enablerepo=extras-development install >policycoreutils > >Run 'make clean' before retrying your refpolicy compile. > >Fellow struggling new user, >Sean > > > >-----Original Message----- > I've also had a go with the reference policy example in the >book for FC5 and couldn't get that to compile either. That gives an >error >with the generated_definitions.conf file. I downloaded the most >uptodate >version of the refpolicy from Tresys' site but maybe there are other >patches >I need? Again, this was a std FC5 install. _________________________________________________________________ Windows Live? Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb From lindafinch1 at hotmail.co.uk Thu Nov 9 16:37:50 2006 From: lindafinch1 at hotmail.co.uk (Linda Finch) Date: Thu, 09 Nov 2006 16:37:50 +0000 Subject: New SELinux User In-Reply-To: <1163000839.24127.9.camel@localhost.localdomain> Message-ID: It took me ages to track down where the duplicate type declaration was coming from - I was sure it wasn't the ircd.te file I'd created as I'd checked it numerous times. In the end I found it was being inserted by the append_logdir_domain macro. Everything compiles, the file system is labelled as expected and I can move on to another problem. The IRCD daemon it is not starting with the correct security context. Again, I've double and treble checked the ircd.te file and I'm wondering if it is another problem between this file and the domain_auto_trans macro. I'm starting here anyway. I've not had a chance to look again at FC5 but will screen dump the error message for more information. Then I guess it will be FC6 when I've got this cracked.....! Thanks very much for your help so far Linda >From: Karl MacMillan >To: Linda Finch >CC: fedora-selinux-list at redhat.com >Subject: Re: New SELinux User >Date: Wed, 08 Nov 2006 10:47:19 -0500 > >On Wed, 2006-11-08 at 15:31 +0000, Linda Finch wrote: > > I am trying to get up to speed with SELinux however as I am also a >novice > > Linux user (my OS knowledge has been with other systems) this is a very > > steep learning curve! To ease the pain, I purchased the SELinux by >example > > book and have been trying to work through the example policy module for >the > > IRC daemon. > > > > I set up a standard FC4 workstation with the required strict src policy, >IRC > > etc and proceeded to follow through the book however I cannot get it to > > compile. When I enter the make && make install && make load command I >get > > the following error: > > > > make && make install && make load > > /usr/bin/checkpolicy -o policy.21 policy.conf > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > > domains/program/ircd.te:28:ERROR 'duplicate declaration of >type/attribute' > > at token ';' on line 290384: > > type ircd_log_t, file_type, sysadmfile, logfile; > > #line 28 > > checkpolicy: error(s) encountered while parsing configuration > > make: *** [policy.21] Error 1 > > > >The compiler is saying that this type has already been declared. Make >certain that you did not accidentally include this line twice. It is >also possible that the strict policy that you are using already has a >policy for the ircd daemon (I don't have an FC4 system to check the >latest policy). You can grep through the policy modules to see if this >type is declared in another module - run this command in >domains/program: > >grep "type ircd_log_t *.te > >That should show you the file names of all the files that contain the >phrase "type ircd_log_t". If there is another policy module declaring >this type you can disable it by moving it and its corresponding .fc file >to the unused directories in domains/program and file_contexts. > > > > > I've double checked the ircd.te file, looked at the policy.conf file and > > can't see anything wrong. Is this error immediately obvious to anyone > > (without knowing the example in the book of course!)? If so, please >help! > > Apologies if there is something simple that I've not done - as I say, >I'm a > > novice user! I've also had a go with the reference policy example in >the > > book for FC5 and couldn't get that to compile either. That gives an >error > > with the generated_definitions.conf file. I downloaded the most >uptodate > > version of the refpolicy from Tresys' site but maybe there are other >patches > > I need? Again, this was a std FC5 install. > > > >Can you give a more detailed error message here? > >Karl > _________________________________________________________________ Be the first to hear what's new at MSN - sign up to our free newsletters! http://www.msn.co.uk/newsletters From craigwhite at azapple.com Thu Nov 9 21:54:31 2006 From: craigwhite at azapple.com (Craig White) Date: Thu, 09 Nov 2006 14:54:31 -0700 Subject: postgres issues Message-ID: <1163109272.20305.49.camel@lin-workstation.azapple.com> on CentOS 4.4 - trying to have postgres authenticate a user via pam via LDAP ;-) I do see in /var/log/audit/audit.log type=AVC msg=audit(1163102102.393:151988): avc: denied { read } for pid=9424 comm="postmaster" name="ldaprc" dev=dm-0 ino=2864066 scontext=root:system_r :postgresql_t tcontext=root:object_r:var_lib_t tclass=file type=SYSCALL msg=audit(1163102102.393:151988): arch=40000003 syscall=5 success=no exit=-13 a0=8381848 a1=0 a2=1b6 a3=0 items=1 pid=9424 auid=0 uid=26 gid=2 6 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster" exe="/usr/bin/postgres" type=CWD msg=audit(1163102102.393:151988): cwd="/var/lib/pgsql" type=PATH msg=audit(1163102102.393:151988): name="/var/lib/pgsql/ldaprc" flags=101 inode=2864066 dev=fd:00 mode=0100644 ouid=26 ogid=26 rdev=00:00 type=AVC msg=audit(1163102102.395:151989): avc: denied { create } for pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:syste m_r:postgresql_t tclass=netlink_route_socket type=SYSCALL msg=audit(1163102102.395:151989): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfecd3cc a2=892ff4 a3=bfece464 items=0 pid=9424 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster" exe="/usr/bin/postgres" type=SOCKETCALL msg=audit(1163102102.395:151989): nargs=3 a0=10 a1=3 a2=0 type=AVC msg=audit(1163102102.449:151990): avc: denied { create } for pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:syste m_r:postgresql_t tclass=netlink_audit_socket type=SYSCALL msg=audit(1163102102.449:151990): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfecc380 a2=a0eff4 a3=0 items=0 pid=9424 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster" exe="/usr/bin/postgres" SO this is what I did... # audit2allow -i /var/log/audit/audit.log allow postgresql_t self:netlink_audit_socket create; allow postgresql_t self:netlink_route_socket create; allow postgresql_t var_lib_t:file read; # audit2allow -i /var/log/audit/audit.log \ >> /etc/selinux/targeted/src/policy/domains/local.te # cd /etc/selinux/targeted/src/policy/ # make reload but I am still being refused access per strace of process (forked from postmaster / postgres) [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied) [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("255.255.255.255")}, 16) = -1 EACCES (Permission denied) [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied) What am I missing? Thanks Craig From paul at city-fan.org Fri Nov 10 13:33:26 2006 From: paul at city-fan.org (Paul Howarth) Date: Fri, 10 Nov 2006 13:33:26 +0000 Subject: AVC denied for Spamassassin In-Reply-To: <4553274F.2000708@redhat.com> References: <4552C497.4030403@Englisch.us> <4553274F.2000708@redhat.com> Message-ID: <45547FA6.8070604@city-fan.org> Daniel J Walsh wrote: > Volker Englisch wrote: >> I have a lot of avc messages in my log file indicating a problem with >> spamassassin/mqueue. >> I am running FC6 with a standard installation and don't know why there >> is a problem with the directory /var/spool/mqueue. >> $ ls -Zd mqueue >> drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/ >> >> Do I need to change the context for this directory? >> >> Below are some of the messages from my log file: >> >> Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: >> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >> > Does procmail need to read this directory? > Does procmail need to be able to write this directory? Isn't this a consequence of procmail being the local delivery agent for sendmail by default? Paul. From Volker at englisch.us Fri Nov 10 14:26:21 2006 From: Volker at englisch.us (Volker Englisch) Date: Fri, 10 Nov 2006 09:26:21 -0500 Subject: AVC denied for Spamassassin In-Reply-To: <1163061535.19227.7.camel@metropolis.intra.city-fan.org> References: <4552C497.4030403@Englisch.us> <1163061535.19227.7.camel@metropolis.intra.city-fan.org> Message-ID: <45548C0D.8060009@Englisch.us> On 11/09/2006 03:38 AM Paul Howarth wrote: > Are you running /usr/bin/spamassassin from procmail? > > Things may improve from both an SELinux and performance perspective if > you use /usr/bin/spamc instead. > > Paul. > You were right. I switched yesterday to use spamc with the effect that all of the AVC messages disappeared from the messages file since the switch. However, I now see a bunch of 'Permission Denied' messages in the maillog. But that's a different mailing list. :-) Thanks for the hint to switch to spamc. Volker Englisch From craigwhite at azapple.com Fri Nov 10 15:03:49 2006 From: craigwhite at azapple.com (Craig White) Date: Fri, 10 Nov 2006 08:03:49 -0700 Subject: postgres issues In-Reply-To: <1163109272.20305.49.camel@lin-workstation.azapple.com> References: <1163109272.20305.49.camel@lin-workstation.azapple.com> Message-ID: <1163171029.26381.40.camel@lin-workstation.azapple.com> I should point out that I am still getting these errors in /var/log/audit/audit.log after making the changes below to local.te type=AVC msg=audit(1163170839.586:153524): avc: denied { write } for pid=29409 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:syste m_r:postgresql_t tclass=netlink_audit_socket type=SYSCALL msg=audit(1163170839.586:153524): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bfec3f80 a2=a0eff4 a3=88 items=0 pid=29409 auid=0 uid= 26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster" exe="/usr/bin/postgres" type=SOCKADDR msg=audit(1163170839.586:153524): saddr=100000000000000000000000 type=SOCKETCALL msg=audit(1163170839.586:153524): nargs=6 a0=3 a1=bfec8220 a2=88 a3=0 a4=bfec8210 a5=c the additions that I made to local.te were: allow postgresql_t self:netlink_audit_socket create; allow postgresql_t self:netlink_route_socket create; Craig On Thu, 2006-11-09 at 14:54 -0700, Craig White wrote: > on CentOS 4.4 - trying to have postgres authenticate a user via pam via > LDAP > > ;-) > > I do see in /var/log/audit/audit.log > > type=AVC msg=audit(1163102102.393:151988): avc: denied { read } for > pid=9424 comm="postmaster" name="ldaprc" dev=dm-0 ino=2864066 > scontext=root:system_r > :postgresql_t tcontext=root:object_r:var_lib_t tclass=file > type=SYSCALL msg=audit(1163102102.393:151988): arch=40000003 syscall=5 > success=no exit=-13 a0=8381848 a1=0 a2=1b6 a3=0 items=1 pid=9424 auid=0 > uid=26 gid=2 > 6 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster" > exe="/usr/bin/postgres" > type=CWD msg=audit(1163102102.393:151988): cwd="/var/lib/pgsql" > type=PATH msg=audit(1163102102.393:151988): name="/var/lib/pgsql/ldaprc" > flags=101 inode=2864066 dev=fd:00 mode=0100644 ouid=26 ogid=26 > rdev=00:00 > type=AVC msg=audit(1163102102.395:151989): avc: denied { create } for > pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t > tcontext=root:syste > m_r:postgresql_t tclass=netlink_route_socket > type=SYSCALL msg=audit(1163102102.395:151989): arch=40000003 syscall=102 > success=no exit=-13 a0=1 a1=bfecd3cc a2=892ff4 a3=bfece464 items=0 > pid=9424 auid=0 > uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 > comm="postmaster" exe="/usr/bin/postgres" > type=SOCKETCALL msg=audit(1163102102.395:151989): nargs=3 a0=10 a1=3 > a2=0 > type=AVC msg=audit(1163102102.449:151990): avc: denied { create } for > pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t > tcontext=root:syste > m_r:postgresql_t tclass=netlink_audit_socket > type=SYSCALL msg=audit(1163102102.449:151990): arch=40000003 syscall=102 > success=no exit=-13 a0=1 a1=bfecc380 a2=a0eff4 a3=0 items=0 pid=9424 > auid=0 uid=26 > gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 > comm="postmaster" exe="/usr/bin/postgres" > > SO this is what I did... > > # audit2allow -i /var/log/audit/audit.log > allow postgresql_t self:netlink_audit_socket create; > allow postgresql_t self:netlink_route_socket create; > allow postgresql_t var_lib_t:file read; > > # audit2allow -i /var/log/audit/audit.log \ > >> /etc/selinux/targeted/src/policy/domains/local.te > > # cd /etc/selinux/targeted/src/policy/ > # make reload > > but I am still being refused access per strace of process (forked from > postmaster / postgres) > > [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0), > sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied) > > [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0), > sin_addr=inet_addr("255.255.255.255")}, 16) = -1 EACCES (Permission > denied) > > [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0), > sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied) > > What am I missing? > > Thanks > > Craig > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Sat Nov 11 23:48:46 2006 From: selinux at gmail.com (Tom London) Date: Sat, 11 Nov 2006 15:48:46 -0800 Subject: realplayer AVCs Message-ID: <4c4ba1530611111548h3a861b6arc7c70ffef30187a6@mail.gmail.com> After updating to selinux-policy-targeted-2.4.3-10, I notice the following AVCs when starting 'realplayer'. Realplayer no longer works. Didn't notice these before. Don't believe I saw any context changes during the update. type=AVC msg=audit(1163288612.216:22): avc: denied { execmem } for pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163288612.216:22): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" exe="/usr/local/RealPlayer/realplay.bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163288612.224:23): avc: denied { execmem } for pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163288612.224:23): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" exe="/usr/local/RealPlayer/realplay.bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163288612.224:24): avc: denied { execmem } for pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163288612.224:24): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" exe="/usr/local/RealPlayer/realplay.bin" subj=user_u:system_r:unconfined_t:s0 key=(null) tom -- Tom London From shams2 at inMail24.com Mon Nov 13 19:59:40 2006 From: shams2 at inMail24.com (shams) Date: Tue, 14 Nov 2006 00:59:40 +0500 Subject: how to relabel one folder with SELinux Message-ID: <1163447980.5167.8.camel@localhost.localdomain> hi, i installed the fc6, my Documents Root for the server html was in the separate partition i mounted after installation under /var/www/, now SELinux prevent to reach the document root the this is: www]$ls -halZ drwxr-xr-x root root system_u:object_r:textrel_shlib_t . drwxr-xr-x root root system_u:object_r:var_t .. drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root user_u:object_r:file_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons how i can relabel the only one directory html? ---------- * Zoner PhotoStudio 8 - Your Photos perfect, shared, organised! www.zoner.com/zps You can download your free version. From selinux at gmail.com Mon Nov 13 15:31:28 2006 From: selinux at gmail.com (Tom London) Date: Mon, 13 Nov 2006 07:31:28 -0800 Subject: execmem/execstack AVCs in recent updates Message-ID: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> Running latest rawhide, targeted/enforcing. I seem to be getting execmem/execstack AVCs that I don't recall getting before, e.g., from firefox, vmware, realplayer: Believe this is from starting vmware: type=AVC msg=audit(1163430106.494:54): avc: denied { execstack } for pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1163430106.494:54): avc: denied { execmem } for pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163430106.494:54): arch=40000003 syscall=125 success=yes exit=0 a0=bfd55000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3460 pid=3462 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 key=(null) Believe this is from starting realplayer: type=AVC msg=audit(1163429593.548:23): avc: denied { execmem } for pid=3291 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163429593.548:23): arch=40000003 syscall=192 per=400000 success=yes exit=16433152 a0=0 a1=a01000 a2=7 a3=22 items=0 ppid=3286 pid=3291 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" exe="/usr/local/RealPlayer/realplay.bin" subj=user_u:system_r:unconfined_t:s0 key=(null) These from firefox: type=AVC msg=audit(1163429690.683:30): avc: denied { execstack } for pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163429690.683:30): arch=40000003 syscall=125 success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1163429690.693:31): avc: denied { execstack } for pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163429690.693:31): arch=40000003 syscall=125 success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) Did I clobber an update somehow? tom -- Tom London From paul at city-fan.org Mon Nov 13 15:51:29 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 13 Nov 2006 15:51:29 +0000 Subject: how to relabel one folder with SELinux In-Reply-To: <1163447980.5167.8.camel@localhost.localdomain> References: <1163447980.5167.8.camel@localhost.localdomain> Message-ID: <45589481.5020104@city-fan.org> shams wrote: > hi, > i installed the fc6, my Documents Root for the server html was in the > separate partition i mounted after installation under /var/www/, now > SELinux prevent to reach the document root the this is: > www]$ls -halZ > drwxr-xr-x root root system_u:object_r:textrel_shlib_t . > drwxr-xr-x root root system_u:object_r:var_t .. > drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error > drwxr-xr-x root root user_u:object_r:file_t html > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons > > how i can relabel the only one directory html? # restorecon -r /var/www Paul. From dwalsh at redhat.com Mon Nov 13 16:45:04 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Nov 2006 11:45:04 -0500 Subject: realplayer AVCs In-Reply-To: <4c4ba1530611111548h3a861b6arc7c70ffef30187a6@mail.gmail.com> References: <4c4ba1530611111548h3a861b6arc7c70ffef30187a6@mail.gmail.com> Message-ID: <4558A110.3000201@redhat.com> Tom London wrote: > After updating to selinux-policy-targeted-2.4.3-10, I notice the > following AVCs when starting 'realplayer'. Realplayer no longer > works. Didn't notice these before. Don't believe I saw any context > changes during the update. > > type=AVC msg=audit(1163288612.216:22): avc: denied { execmem } for > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163288612.216:22): arch=40000003 syscall=192 > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > exe="/usr/local/RealPlayer/realplay.bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1163288612.224:23): avc: denied { execmem } for > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163288612.224:23): arch=40000003 syscall=192 > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > exe="/usr/local/RealPlayer/realplay.bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1163288612.224:24): avc: denied { execmem } for > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163288612.224:24): arch=40000003 syscall=192 > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > exe="/usr/local/RealPlayer/realplay.bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > > tom Did they recently change the location of this file? grep realplay /etc/selinux/targeted/contexts/files/file_contexts /usr/local/RealPlay/realplay\.bin -- system_u:object_r:unconfined_execmem_exec_t:s0 From dwalsh at redhat.com Mon Nov 13 16:58:31 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Nov 2006 11:58:31 -0500 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> Message-ID: <4558A437.6030309@redhat.com> Tom London wrote: > Running latest rawhide, targeted/enforcing. > > I seem to be getting execmem/execstack AVCs that I don't recall > getting before, e.g., from firefox, vmware, realplayer: > > Believe this is from starting vmware: > type=AVC msg=audit(1163430106.494:54): avc: denied { execstack } for > pid=3462 comm="ld-linux.so.2" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=AVC msg=audit(1163430106.494:54): avc: denied { execmem } for > pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163430106.494:54): arch=40000003 syscall=125 > success=yes exit=0 a0=bfd55000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=3460 pid=3462 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" > exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 > key=(null) > > Believe this is from starting realplayer: > type=AVC msg=audit(1163429593.548:23): avc: denied { execmem } for > pid=3291 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163429593.548:23): arch=40000003 syscall=192 > per=400000 success=yes exit=16433152 a0=0 a1=a01000 a2=7 a3=22 items=0 > ppid=3286 pid=3291 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > exe="/usr/local/RealPlayer/realplay.bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > > These from firefox: > type=AVC msg=audit(1163429690.683:30): avc: denied { execstack } for > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163429690.683:30): arch=40000003 syscall=125 > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-2.0/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1163429690.693:31): avc: denied { execstack } for > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163429690.693:31): arch=40000003 syscall=125 > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-2.0/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) > > Did I clobber an update somehow? > > tom No I just turned off allow_execstack boolean in Rawhide. Just to punish you. :^) The goal is to find these problems. chcon -t unconfined_execmem_t /usr/local/RealPlayer/realplay.bin Should fix. Is firefox-bin dieing? Do you think this is a plugin? Is it trying to run realplayer? From dwalsh at redhat.com Mon Nov 13 17:16:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Nov 2006 12:16:19 -0500 Subject: AVC denied for Spamassassin In-Reply-To: <45547FA6.8070604@city-fan.org> References: <4552C497.4030403@Englisch.us> <4553274F.2000708@redhat.com> <45547FA6.8070604@city-fan.org> Message-ID: <4558A863.4000509@redhat.com> Paul Howarth wrote: > Daniel J Walsh wrote: >> Volker Englisch wrote: >>> I have a lot of avc messages in my log file indicating a problem >>> with spamassassin/mqueue. >>> I am running FC6 with a standard installation and don't know why >>> there is a problem with the directory /var/spool/mqueue. >>> $ ls -Zd mqueue >>> drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/ >>> >>> Do I need to change the context for this directory? >>> >>> Below are some of the messages from my log file: >>> >>> Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: >>> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >>> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: >>> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >>> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: >>> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >>> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: >>> denied { search } for pid=14530 comm="spamassassin" name="mqueue" >>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 >>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir >>> >> Does procmail need to read this directory? >> Does procmail need to be able to write this directory? > > Isn't this a consequence of procmail being the local delivery agent > for sendmail by default? > > Paul. I am no procmail expert. :^) But I just modified this to a dontaudit in the policy. Since we were already dontauditing the read of this file. Seems that the people who wrote the policy believes procmail does not need to read these files. Dan From selinux at gmail.com Mon Nov 13 17:32:44 2006 From: selinux at gmail.com (Tom London) Date: Mon, 13 Nov 2006 09:32:44 -0800 Subject: realplayer AVCs In-Reply-To: <4558A110.3000201@redhat.com> References: <4c4ba1530611111548h3a861b6arc7c70ffef30187a6@mail.gmail.com> <4558A110.3000201@redhat.com> Message-ID: <4c4ba1530611130932l70d1437fg203e9de87ee437b3@mail.gmail.com> On 11/13/06, Daniel J Walsh wrote: > Tom London wrote: > > After updating to selinux-policy-targeted-2.4.3-10, I notice the > > following AVCs when starting 'realplayer'. Realplayer no longer > > works. Didn't notice these before. Don't believe I saw any context > > changes during the update. > > > > type=AVC msg=audit(1163288612.216:22): avc: denied { execmem } for > > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=SYSCALL msg=audit(1163288612.216:22): arch=40000003 syscall=192 > > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 > > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 > > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > > exe="/usr/local/RealPlayer/realplay.bin" > > subj=user_u:system_r:unconfined_t:s0 key=(null) > > type=AVC msg=audit(1163288612.224:23): avc: denied { execmem } for > > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=SYSCALL msg=audit(1163288612.224:23): arch=40000003 syscall=192 > > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 > > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 > > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > > exe="/usr/local/RealPlayer/realplay.bin" > > subj=user_u:system_r:unconfined_t:s0 key=(null) > > type=AVC msg=audit(1163288612.224:24): avc: denied { execmem } for > > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=SYSCALL msg=audit(1163288612.224:24): arch=40000003 syscall=192 > > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 > > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 > > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > > exe="/usr/local/RealPlayer/realplay.bin" > > subj=user_u:system_r:unconfined_t:s0 key=(null) > > > > tom > Did they recently change the location of this file? > > grep realplay /etc/selinux/targeted/contexts/files/file_contexts > /usr/local/RealPlay/realplay\.bin -- > system_u:object_r:unconfined_execmem_exec_t:s0 > Ah.... mine seems to be installed in /usr/local/RealPlayer. Perhaps /usr/local/RealPlay(er)?/realplay\.bin -- system_u:object_r:unconfined_execmem_exec_t:s0 tom -- Tom London From selinux at gmail.com Mon Nov 13 18:04:51 2006 From: selinux at gmail.com (Tom London) Date: Mon, 13 Nov 2006 10:04:51 -0800 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4558A437.6030309@redhat.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> Message-ID: <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> On 11/13/06, Daniel J Walsh wrote: > Tom London wrote: > > Running latest rawhide, targeted/enforcing. > > > > I seem to be getting execmem/execstack AVCs that I don't recall > > getting before, e.g., from firefox, vmware, realplayer: > > > > Believe this is from starting vmware: > > type=AVC msg=audit(1163430106.494:54): avc: denied { execstack } for > > pid=3462 comm="ld-linux.so.2" > > scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=AVC msg=audit(1163430106.494:54): avc: denied { execmem } for > > pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=SYSCALL msg=audit(1163430106.494:54): arch=40000003 syscall=125 > > success=yes exit=0 a0=bfd55000 a1=1000 a2=1000007 a3=fffff000 items=0 > > ppid=3460 pid=3462 auid=500 uid=500 gid=500 euid=500 suid=500 > > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" > > exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 > > key=(null) > > > > Believe this is from starting realplayer: > > type=AVC msg=audit(1163429593.548:23): avc: denied { execmem } for > > pid=3291 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=SYSCALL msg=audit(1163429593.548:23): arch=40000003 syscall=192 > > per=400000 success=yes exit=16433152 a0=0 a1=a01000 a2=7 a3=22 items=0 > > ppid=3286 pid=3291 auid=500 uid=500 gid=500 euid=500 suid=500 > > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" > > exe="/usr/local/RealPlayer/realplay.bin" > > subj=user_u:system_r:unconfined_t:s0 key=(null) > > > > These from firefox: > > type=AVC msg=audit(1163429690.683:30): avc: denied { execstack } for > > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=SYSCALL msg=audit(1163429690.683:30): arch=40000003 syscall=125 > > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 > > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > > exe="/usr/lib/firefox-2.0/firefox-bin" > > subj=user_u:system_r:unconfined_t:s0 key=(null) > > type=AVC msg=audit(1163429690.693:31): avc: denied { execstack } for > > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > type=SYSCALL msg=audit(1163429690.693:31): arch=40000003 syscall=125 > > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 > > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > > exe="/usr/lib/firefox-2.0/firefox-bin" > > subj=user_u:system_r:unconfined_t:s0 key=(null) > > > > Did I clobber an update somehow? > > > > tom > No I just turned off allow_execstack boolean in Rawhide. Just to punish > you. :^) > The goal is to find these problems. > > chcon -t unconfined_execmem_t /usr/local/RealPlayer/realplay.bin > > Should fix. > > Is firefox-bin dieing? Do you think this is a plugin? Is it trying to > run realplayer? > Thanks! I needed that 'recharge' to my normal paranoia level ;) I 'fixed' RealPlayer and restarted firefox. Here is a bit more data: 1. Firefox does not die. 2. Seems to happen when I 'login' to my gmail account. Seem to get multiple type=AVC msg=audit(1163439760.769:49): avc: denied { execstack } for pid=3652 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163439760.769:49): arch=40000003 syscall=125 success=no exit=-13 a0=bfabe000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3652 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) Also, vmware is still unhappy :-( tom -- Tom London From dwalsh at redhat.com Mon Nov 13 20:51:42 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Nov 2006 15:51:42 -0500 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> Message-ID: <4558DADE.8020906@redhat.com> Tom London wrote: > On 11/13/06, Daniel J Walsh wrote: >> Tom London wrote: >> > Running latest rawhide, targeted/enforcing. >> > >> > I seem to be getting execmem/execstack AVCs that I don't recall >> > getting before, e.g., from firefox, vmware, realplayer: >> > >> > Believe this is from starting vmware: >> > type=AVC msg=audit(1163430106.494:54): avc: denied { execstack } for >> > pid=3462 comm="ld-linux.so.2" >> > scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=AVC msg=audit(1163430106.494:54): avc: denied { execmem } for >> > pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=SYSCALL msg=audit(1163430106.494:54): arch=40000003 syscall=125 >> > success=yes exit=0 a0=bfd55000 a1=1000 a2=1000007 a3=fffff000 items=0 >> > ppid=3460 pid=3462 auid=500 uid=500 gid=500 euid=500 suid=500 >> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" >> > exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 >> > key=(null) >> > >> > Believe this is from starting realplayer: >> > type=AVC msg=audit(1163429593.548:23): avc: denied { execmem } for >> > pid=3291 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=SYSCALL msg=audit(1163429593.548:23): arch=40000003 syscall=192 >> > per=400000 success=yes exit=16433152 a0=0 a1=a01000 a2=7 a3=22 items=0 >> > ppid=3286 pid=3291 auid=500 uid=500 gid=500 euid=500 suid=500 >> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" >> > exe="/usr/local/RealPlayer/realplay.bin" >> > subj=user_u:system_r:unconfined_t:s0 key=(null) >> > >> > These from firefox: >> > type=AVC msg=audit(1163429690.683:30): avc: denied { execstack } for >> > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=SYSCALL msg=audit(1163429690.683:30): arch=40000003 syscall=125 >> > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 >> > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 >> > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" >> > exe="/usr/lib/firefox-2.0/firefox-bin" >> > subj=user_u:system_r:unconfined_t:s0 key=(null) >> > type=AVC msg=audit(1163429690.693:31): avc: denied { execstack } for >> > pid=3327 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=SYSCALL msg=audit(1163429690.693:31): arch=40000003 syscall=125 >> > success=no exit=-13 a0=bfb21000 a1=1000 a2=1000007 a3=fffff000 items=0 >> > ppid=1 pid=3327 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 >> > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" >> > exe="/usr/lib/firefox-2.0/firefox-bin" >> > subj=user_u:system_r:unconfined_t:s0 key=(null) >> > >> > Did I clobber an update somehow? >> > >> > tom >> No I just turned off allow_execstack boolean in Rawhide. Just to punish >> you. :^) >> The goal is to find these problems. >> >> chcon -t unconfined_execmem_t /usr/local/RealPlayer/realplay.bin >> >> Should fix. >> >> Is firefox-bin dieing? Do you think this is a plugin? Is it trying to >> run realplayer? >> > Thanks! I needed that 'recharge' to my normal paranoia level ;) > > I 'fixed' RealPlayer and restarted firefox. Here is a bit more data: > 1. Firefox does not die. > 2. Seems to happen when I 'login' to my gmail account. > > Seem to get multiple > type=AVC msg=audit(1163439760.769:49): avc: denied { execstack } for > pid=3652 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163439760.769:49): arch=40000003 syscall=125 > success=no exit=-13 a0=bfabe000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=1 pid=3652 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" > exe="/usr/lib/firefox-2.0/firefox-bin" > subj=user_u:system_r:unconfined_t:s0 key=(null) Could you open a bugzilla on this for firefox. > > Also, vmware is still unhappy :-( What is it complaining about? > > tom From dwalsh at redhat.com Mon Nov 13 20:52:58 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Nov 2006 15:52:58 -0500 Subject: realplayer AVCs In-Reply-To: <4c4ba1530611130932l70d1437fg203e9de87ee437b3@mail.gmail.com> References: <4c4ba1530611111548h3a861b6arc7c70ffef30187a6@mail.gmail.com> <4558A110.3000201@redhat.com> <4c4ba1530611130932l70d1437fg203e9de87ee437b3@mail.gmail.com> Message-ID: <4558DB2A.7040007@redhat.com> Tom London wrote: > On 11/13/06, Daniel J Walsh wrote: >> Tom London wrote: >> > After updating to selinux-policy-targeted-2.4.3-10, I notice the >> > following AVCs when starting 'realplayer'. Realplayer no longer >> > works. Didn't notice these before. Don't believe I saw any context >> > changes during the update. >> > >> > type=AVC msg=audit(1163288612.216:22): avc: denied { execmem } for >> > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=SYSCALL msg=audit(1163288612.216:22): arch=40000003 syscall=192 >> > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 >> > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 >> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" >> > exe="/usr/local/RealPlayer/realplay.bin" >> > subj=user_u:system_r:unconfined_t:s0 key=(null) >> > type=AVC msg=audit(1163288612.224:23): avc: denied { execmem } for >> > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=SYSCALL msg=audit(1163288612.224:23): arch=40000003 syscall=192 >> > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 >> > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 >> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" >> > exe="/usr/local/RealPlayer/realplay.bin" >> > subj=user_u:system_r:unconfined_t:s0 key=(null) >> > type=AVC msg=audit(1163288612.224:24): avc: denied { execmem } for >> > pid=3365 comm="realplay.bin" scontext=user_u:system_r:unconfined_t:s0 >> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > type=SYSCALL msg=audit(1163288612.224:24): arch=40000003 syscall=192 >> > per=400000 success=no exit=-13 a0=0 a1=a01000 a2=7 a3=22 items=0 >> > ppid=3360 pid=3365 auid=500 uid=500 gid=500 euid=500 suid=500 >> > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="realplay.bin" >> > exe="/usr/local/RealPlayer/realplay.bin" >> > subj=user_u:system_r:unconfined_t:s0 key=(null) >> > >> > tom >> Did they recently change the location of this file? >> >> grep realplay /etc/selinux/targeted/contexts/files/file_contexts >> /usr/local/RealPlay/realplay\.bin -- >> system_u:object_r:unconfined_execmem_exec_t:s0 >> > Ah.... mine seems to be installed in /usr/local/RealPlayer. > > Perhaps > > /usr/local/RealPlay(er)?/realplay\.bin -- > system_u:object_r:unconfined_execmem_exec_t:s0 > > tom No I think the file context was a bug. Since it is installed in RealPlayer on my machine also. (Yes I turned off the allow_execstack on my machine too.) Fixed in tonights rawhide. From selinux at gmail.com Mon Nov 13 22:00:42 2006 From: selinux at gmail.com (Tom London) Date: Mon, 13 Nov 2006 14:00:42 -0800 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4558DADE.8020906@redhat.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> <4558DADE.8020906@redhat.com> Message-ID: <4c4ba1530611131400v44be6cf5oa050b7748ccb1b78@mail.gmail.com> On 11/13/06, Daniel J Walsh wrote: > Could you open a bugzilla on this for firefox. Yup: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215424 > > > > Also, vmware is still unhappy :-( > What is it complaining about? type=AVC msg=audit(1163450320.414:32): avc: denied { execstack } for pid=3763 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163450320.414:32): arch=40000003 syscall=125 success=yes exit=0 a0=bfef2000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3761 pid=3763 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 key=(null) tom -- Tom London From selinux at gmail.com Mon Nov 13 22:02:15 2006 From: selinux at gmail.com (Tom London) Date: Mon, 13 Nov 2006 14:02:15 -0800 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4c4ba1530611131400v44be6cf5oa050b7748ccb1b78@mail.gmail.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> <4558DADE.8020906@redhat.com> <4c4ba1530611131400v44be6cf5oa050b7748ccb1b78@mail.gmail.com> Message-ID: <4c4ba1530611131402l1fcc220dp9cb04a67301f4fcb@mail.gmail.com> On 11/13/06, Tom London wrote: > On 11/13/06, Daniel J Walsh wrote: > > Could you open a bugzilla on this for firefox. > Yup: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215424 > > > > > > Also, vmware is still unhappy :-( > > What is it complaining about? > type=AVC msg=audit(1163450320.414:32): avc: denied { execstack } for > pid=3763 comm="ld-linux.so.2" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163450320.414:32): arch=40000003 syscall=125 > success=yes exit=0 a0=bfef2000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=3761 pid=3763 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="ld-linux.so.2" > exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 > key=(null) > Actually, execmem is generated also..... type=AVC msg=audit(1163430106.494:54): avc: denied { execstack } for pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1163430106.494:54): avc: denied { execmem } for pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1163430106.494:54): arch=40000003 syscall=125 success=yes exit=0 a0=bfd55000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3460 pid=3462 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 key=(null) -- Tom London From dwalsh at redhat.com Tue Nov 14 14:41:09 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 14 Nov 2006 09:41:09 -0500 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4c4ba1530611131402l1fcc220dp9cb04a67301f4fcb@mail.gmail.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> <4558DADE.8020906@redhat.com> <4c4ba1530611131400v44be6cf5oa050b7748ccb1b78@mail.gmail.com> <4c4ba1530611131402l1fcc220dp9cb04a67301f4fcb@mail.gmail.com> Message-ID: <4559D585.9030108@redhat.com> Tom London wrote: > On 11/13/06, Tom London wrote: >> On 11/13/06, Daniel J Walsh wrote: >> > Could you open a bugzilla on this for firefox. >> Yup: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215424 >> > > >> > > Also, vmware is still unhappy :-( >> > What is it complaining about? >> type=AVC msg=audit(1163450320.414:32): avc: denied { execstack } for >> pid=3763 comm="ld-linux.so.2" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> type=SYSCALL msg=audit(1163450320.414:32): arch=40000003 syscall=125 >> success=yes exit=0 a0=bfef2000 a1=1000 a2=1000007 a3=fffff000 items=0 >> ppid=3761 pid=3763 auid=500 uid=500 gid=500 euid=500 suid=500 >> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="ld-linux.so.2" >> exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 >> key=(null) >> > > Actually, execmem is generated also..... > > type=AVC msg=audit(1163430106.494:54): avc: denied { execstack } for > pid=3462 comm="ld-linux.so.2" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=AVC msg=audit(1163430106.494:54): avc: denied { execmem } for > pid=3462 comm="ld-linux.so.2" scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1163430106.494:54): arch=40000003 syscall=125 > success=yes exit=0 a0=bfd55000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=3460 pid=3462 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ld-linux.so.2" > exe="/lib/ld-2.5.90.so" subj=user_u:system_r:unconfined_t:s0 > key=(null) Can you open a bug on this, so I can get Uli and some of the kernel/gcc guys to look at this. From selinux at gmail.com Tue Nov 14 15:35:55 2006 From: selinux at gmail.com (Tom London) Date: Tue, 14 Nov 2006 07:35:55 -0800 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4559D585.9030108@redhat.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> <4558DADE.8020906@redhat.com> <4c4ba1530611131400v44be6cf5oa050b7748ccb1b78@mail.gmail.com> <4c4ba1530611131402l1fcc220dp9cb04a67301f4fcb@mail.gmail.com> <4559D585.9030108@redhat.com> Message-ID: <4c4ba1530611140735t4b2b5a73w66bac2abce57cb3e@mail.gmail.com> On 11/14/06, Daniel J Walsh wrote: > Can you open a bug on this, so I can get Uli and some of the kernel/gcc > guys to look at this. > Done: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215526 -- Tom London From dwalsh at redhat.com Tue Nov 14 16:06:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 14 Nov 2006 11:06:19 -0500 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4c4ba1530611140735t4b2b5a73w66bac2abce57cb3e@mail.gmail.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> <4558DADE.8020906@redhat.com> <4c4ba1530611131400v44be6cf5oa050b7748ccb1b78@mail.gmail.com> <4c4ba1530611131402l1fcc220dp9cb04a67301f4fcb@mail.gmail.com> <4559D585.9030108@redhat.com> <4c4ba1530611140735t4b2b5a73w66bac2abce57cb3e@mail.gmail.com> Message-ID: <4559E97B.4080502@redhat.com> Tom London wrote: > On 11/14/06, Daniel J Walsh wrote: >> Can you open a bug on this, so I can get Uli and some of the kernel/gcc >> guys to look at this. >> > Done: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215526 > If you chcon -t unconfined_execmem_exec_t vmware Does this problem go away? From selinux at gmail.com Tue Nov 14 17:51:33 2006 From: selinux at gmail.com (Tom London) Date: Tue, 14 Nov 2006 09:51:33 -0800 Subject: execmem/execstack AVCs in recent updates In-Reply-To: <4559E97B.4080502@redhat.com> References: <4c4ba1530611130731x21154509qef161b3a5553b302@mail.gmail.com> <4558A437.6030309@redhat.com> <4c4ba1530611131004g2fea94b0y391117d081ce33a2@mail.gmail.com> <4558DADE.8020906@redhat.com> <4c4ba1530611131400v44be6cf5oa050b7748ccb1b78@mail.gmail.com> <4c4ba1530611131402l1fcc220dp9cb04a67301f4fcb@mail.gmail.com> <4559D585.9030108@redhat.com> <4c4ba1530611140735t4b2b5a73w66bac2abce57cb3e@mail.gmail.com> <4559E97B.4080502@redhat.com> Message-ID: <4c4ba1530611140951w6664008cm5ef8be456bad93f5@mail.gmail.com> On 11/14/06, Daniel J Walsh wrote: > Tom London wrote: > > On 11/14/06, Daniel J Walsh wrote: > >> Can you open a bug on this, so I can get Uli and some of the kernel/gcc > >> guys to look at this. > >> > > Done: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215526 > > > If you chcon -t unconfined_execmem_exec_t vmware > > Does this problem go away? > > I tracked the firefox execstack AVCs to an obviously faulty realplayer plugin. Removing the offender clears this up. tom -- Tom London From mike.clarkson at baesystems.com Wed Nov 15 19:31:26 2006 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Wed, 15 Nov 2006 11:31:26 -0800 Subject: NFS client support Message-ID: A 2001 paper on SELinux that I have discusses SELinux's ability to control access to file systems mounted from ordinary NFS servers. It says that each file will be labeled based upon the NFS server identity. It goes on to say that separate labels for different file systems mounted from the same NFS server could be supported but is not currently implemented. Does fedora provide this capability? And if so, is the granularity of the labeling based upon NFS server identity or file system? Thanks, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From LEFFLESA at nv.doe.gov Wed Nov 15 20:35:17 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Wed, 15 Nov 2006 13:35:17 -0700 Subject: semodule error/question Message-ID: The Setup: In VMware (winders based) I created a FC5 barebones httpd server running strict policy. Couldn't start the init process before it hung. I ran dmesg | audit2allow -M dmesg and got a nice big module to install. Since this is only for learning on a test network I decided to add the whole module. When I ran semodule -i dmesg.pp I got this error: libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/strict/modules/tmp/base.pp. semodule: Failed! There is no /etc/selinux/strict/modules or /etc/selinux/strict/modules/tmp/ directory. Is this created only when using the policy src.rpm? I did read in a January '06 post that there was some problems with the module/module.conf, don't know if this is related. Pertinent info: Kernel 2.6.18-1.2239.fc5 Checkpolicy-1.32-1.fc5 selinux-policy-strict.noarch 2.3.7-2.fc5 libsemanage-1.6.17-1 Policycoreutils-1.33.1-1 Thanks guys, Sean From dwalsh at redhat.com Wed Nov 15 21:47:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Nov 2006 16:47:19 -0500 Subject: NFS client support In-Reply-To: References: Message-ID: <455B8AE7.3050206@redhat.com> Clarkson, Mike R (US SSA) wrote: > > A 2001 paper on SELinux that I have discusses SELinux?s ability to > control access to file systems mounted from ordinary NFS servers. It > says that each file will be labeled based upon the NFS server > identity. It goes on to say that separate labels for different file > systems mounted from the same NFS server could be supported but is not > currently implemented. > > Does fedora provide this capability? And if so, is the granularity of > the labeling based upon NFS server identity or file system? > The mount command has the ability to specify the context of the remote site. So it is up to the administrator. > > Thanks, > > Mike > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Nov 15 21:50:16 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Nov 2006 16:50:16 -0500 Subject: semodule error/question In-Reply-To: References: Message-ID: <455B8B98.5040604@redhat.com> Leffler, Sean wrote: > The Setup: > In VMware (winders based) I created a FC5 barebones httpd server running > strict policy. > Couldn't start the init process before it hung. > > I ran dmesg | audit2allow -M dmesg and got a nice big module to install. > Since this is only for learning on a test network I decided to add the > whole module. > > When I ran semodule -i dmesg.pp I got this error: > > libsemanage.semanage_link_sandbox: Could not access sandbox base file > /etc/selinux/strict/modules/tmp/base.pp. > semodule: Failed! > > Are you running on a strict policy machine? Or is the machine confused? Which policy packages to you have installed. You probably should install the rpm to make sure the directories get created correctly. > There is no /etc/selinux/strict/modules or > /etc/selinux/strict/modules/tmp/ directory. > Is this created only when using the policy src.rpm? I did read in a > January '06 post that there was some problems with the > module/module.conf, don't know if this is related. > > Pertinent info: > Kernel 2.6.18-1.2239.fc5 > Checkpolicy-1.32-1.fc5 > selinux-policy-strict.noarch 2.3.7-2.fc5 > libsemanage-1.6.17-1 > Policycoreutils-1.33.1-1 > > Thanks guys, > > Sean > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From fenn at stanford.edu Wed Nov 15 22:08:00 2006 From: fenn at stanford.edu (Tim Fenn) Date: Wed, 15 Nov 2006 14:08:00 -0800 Subject: nvidia 9626(9) drivers Message-ID: <20061115220759.GB32739@stanford.edu> I've noticed with the latest nvidia drivers (9626 and 9629, obtained as RPMs from atrpms.net), nvidia_drv.o requires the textrel_shlib_t label, without which X fails to load: (II) Loading /usr/lib/xorg/modules/drivers/nvidia_drv.o dlopen: /usr/lib/xorg/modules/drivers/nvidia_drv.o: cannot restore segment prot after reloc: Permission denied (EE) Failed to load /usr/lib/xorg/modules/drivers/nvidia_drv.o Adding the following to file_contexts fixed things for me: /usr/lib(64)?/xorg/modules/drivers/nvidia-.*_drv\.o -- system_u:object_r:textrel_shlib_t:s0 If it would be best for me to file a bugzilla ticket, let me know. Regards, Tim From pravinth_g at yahoo.co.uk Thu Nov 16 13:18:58 2006 From: pravinth_g at yahoo.co.uk (ganesan pravinth) Date: Thu, 16 Nov 2006 13:18:58 +0000 (GMT) Subject: one particular key is not working Message-ID: <20061116131858.52695.qmail@web25411.mail.ukl.yahoo.com> Hi, I am new to fedora, For me the . with > key is not working. But the same key is working for others' login. Before login that key is working but after i login that particular key is not working. Please help me. Any idea what might be the reason??? Thank You all ! Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From LEFFLESA at nv.doe.gov Thu Nov 16 17:15:03 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Thu, 16 Nov 2006 10:15:03 -0700 Subject: semodule error/question In-Reply-To: <455B8B98.5040604@redhat.com> Message-ID: Dan, via 'yum list installed' I get the following: selinux-policy.noarch selinux-policy-strict.noarch selinux-policy-targeted.noarch All 3 are version 2.3.7-2.fc5 I removed those and yum'd selinux-policy-strict which installed the following: selinux-policy.noarch selinux-policy-strict.noarch (version 2.3.7-2.fc5) I enabled strict, permissive in the /etc/selinux/config file; did a touch /.autorelabel; reboot Reran the demsg | audit2allow -M dmesg;semodule -i dmesg.pp and got this: semodule:symbol looklup error: /lib/libsemanage.so.1: undefined symbol: selinux_file_context_local_path Also, after unintstalling/reinstalling selinux, my semanage is now broken: # semange Traceback (most recent call last): File "/usr/sbin/semanage", line 24, in ? import seobject File "/usr/lib/python2.4/site-packages/seobject.py", line 25, in ? from semanage import *; File "/usr/lib/python2.4/site-packages/semanage.py", line 5, in ? import _semanage ImportError: /lib/libsemanage.so.1: undefined symbol: selinux_file_context_local_path Thanks for your help with this, I sincerely appreciate it! Sean Leffler NSTec From LEFFLESA at nv.doe.gov Thu Nov 16 18:30:54 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Thu, 16 Nov 2006 11:30:54 -0700 Subject: one particular key is not working In-Reply-To: <20061116131858.52695.qmail@web25411.mail.ukl.yahoo.com> Message-ID: This is a Fedora-SELinux mailing list. I think this is the list you are looking for: http://www.redhat.com/mailman/listinfo/fedora-list In answer to your question, try the following in a gnome terminal: xmodmap -e 'keycode 60 = greater' Sean NSTec -----Original Message----- From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of ganesan pravinth Sent: Thursday, November 16, 2006 6:19 AM To: fedora-selinux-list at redhat.com Subject: one particular key is not working Hi, I am new to fedora, For me the . with > key is not working. But the same key is working for others' login. Before login that key is working but after i login that particular key is not working. Please help me. Any idea what might be the reason??? Thank You all ! Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ejtr at layer3.co.uk Sat Nov 18 16:08:29 2006 From: ejtr at layer3.co.uk (Ted Rule) Date: Sat, 18 Nov 2006 16:08:29 +0000 Subject: Audit Daemon / LogWatch / SELinux et al Message-ID: <1163866109.7188.27.camel@topaz.bugfinder.co.uk> I wanted to integrate auditd with Logwatch as well as providing for overnight audit log rotation. Sadly, I'm still on FC4, so some of what follows may be out of date. Nevertheless, since the current FC6 Logwatch RPM isn't able to process /var/log/audit/audit.log, I thought the following might be of general interest, anyway. By default, my system was previously set with auditd disabled on boot. Once I enabled auditd, I found that auditd logged numerous types of message other than plain SELinux AVC's. Syslog, ( actually syslog-ng reading /proc/kmsg ), had only logged AVC's. Curiously, if I started auditd, and then stopped it again without a reboot, syslog immediately started logging all manner of non-AVC messages. Is it a bug that only AVC messages are logged via syslog when auditd is never started, OR is it a bug that non-AVC messages are logged via syslog when auditd is stopped after being run temporarily? I would imagine that this 'bug' is in the kernel itself, or perhaps a problem with the cleanliness of auditd's shutdown sequence. The audit RPM provides an example Cron script for SIGUSR1'ing auditd on demand. I created a copy of this in /etc/cron.daily so that it is called BEFORE logwatch is run overnight, as in: $ rpm -qvl audit |grep cron -rw-r--r-- 1 root root 271 Nov 4 2005 /usr/share/doc/audit-1.0.14/auditd.cron $ cat /etc/cron.daily/0auditrotate #!/bin/sh ########## # This script can be installed to get a daily log rotation # based on a cron job. ########## /sbin/service auditd rotate EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]" fi exit 0 $ The problem I then found was that system_crond_t had insufficient permissions to signal the daemon, so I had to add these extra permissions to my local SELinux policy: # Allow Cron invocations of auditdrotate to kill -USR1 auditd # Cron needs to read /var/run/audit.pid, and /proc/ # as well as SIGUSR1 the process itself. allow system_crond_t auditd_var_run_t:file r_file_perms; allow system_crond_t auditd_t:dir r_dir_perms; allow system_crond_t auditd_t:process { signull signal }; Could/should the above set of permissions to grant Cron the ability to rotate audit logs be added to default policy? Perhaps controlled by an additional Boolean? Would it be a better overall solution to add an extra command-line option to auditctl so that it signals auditd via either SIGUSR1 or a private control channel? Cron could then be granted permission to run auditctl instead of directly signalling the daemon. Would it perhaps be better to relabel /etc/cron.daily/0auditrotate as auditctl_exec_t? I note from auditd.conf's man page that raising the number of logs which auditd rotates upon receipt of SIGUSR1 may be problematical as it may require increasing the kernel backlog setting in audit.rules. Since I would prefer to be able to have a complete rolling month's worth of history to hand, with or without compression, I wonder if it might be useful to get /etc/cron.daily/0auditrotate to pre-rotate AND gzip older logs before SIGUSR1'ing auditd. Since the gzip'ed logs would presumably be "invisible" to auditd, but "visible" to Logwatch's Archive processing, this would still allow Logwatch to run correctly, whilst reducing the rotation processing load on auditd itself. There are probably numerous little race conditions to beware of here, of course! The next problem, of course, was that logwatch, running as system_crond_t under FC4, but presumably as logwatch_t under FC5 and above, is unable to read /var/log/audit by default. To work round this, I duly added this set of permissions to my local policy: # Allow Cron invocations of logwatch to read /var/log/audit allow system_crond_t auditd_log_t:file r_file_perms; allow system_crond_t auditd_log_t:dir r_dir_perms; Could/should logwatch_t be granted permission to be an audit_log reader under latest policy by default, please? Perhaps controlled by an additional Boolean? The default installation of logwatch itself has a script for processing the AVC messages which are routed via syslog, namely /usr/share/logwatch/scripts/services/audit. Unfortunately, because of the difference in log format, and the log timestamping in particular, logwatch is unable to process /var/log/audit/audit.log "out of the box". Furthermore, it seems that this script is not capable of properly handling various non-AVC messages. To work round this problem, I created an extra shared script for logwatch, /etc/logwatch/scripts/shared/applyauditdate, which explicitly matched on the "date +%s" style timestamp in audit messages. This was tied into some additional configuration files, and a modified form of /usr/share/logwatch/scripts/services/audit, which I haved placed in /etc/logwatch/scripts/services/auditd, for processing raw audit daemon logs. I would envisage that a fully integrated installation would place the new script in /usr/share/logwatch/scripts/services/auditd, of course. With this all in place, I was finally able to get a daily Logwatch summary of all audit daemon activity, including all the non-AVC messages, albeit currently limited to a 4-day history. -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From LEFFLESA at nv.doe.gov Sat Nov 18 18:11:45 2006 From: LEFFLESA at nv.doe.gov (Leffler, Sean) Date: Sat, 18 Nov 2006 11:11:45 -0700 Subject: Semanage/libsemanage Python Errors In-Reply-To: Message-ID: I was trying to install latest refpolicy from tresys; to do so required getting files from the development repo (checkpolicy, policycoreutils). Policycoreutils requires a newer version of libsemanage. After installing libsemanage-1.6.17 I get this python error when running semanage # semange Traceback (most recent call last): File "/usr/sbin/semanage", line 24, in ? import seobject File "/usr/lib/python2.4/site-packages/seobject.py", line 25, in ? from semanage import *; File "/usr/lib/python2.4/site-packages/semanage.py", line 5, in ? import _semanage ImportError: /lib/libsemanage.so.1: undefined symbol: selinux_file_context_local_path Any ideas on how to tackle this? Thanks gents, Sean From linux_4ever at yahoo.com Sat Nov 18 22:34:10 2006 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 18 Nov 2006 14:34:10 -0800 (PST) Subject: Audit Daemon / LogWatch / SELinux et al In-Reply-To: <1163866109.7188.27.camel@topaz.bugfinder.co.uk> Message-ID: <802396.65614.qm@web51508.mail.yahoo.com> >Is it a bug that only AVC messages are logged via syslog when >auditd is never started, OR is it a bug that non-AVC messages >are logged via syslog when auditd is stopped after being run >temporarily? No, this is not a bug. The audit daemon does the equivalent of "auditctl -e 1" when it starts up. Otherwise the audit system is not active and there won't be any events to receive. >I would imagine that this 'bug' is in the kernel itself, or perhaps a >problem with the cleanliness of auditd's shutdown sequence. Normally, the audit daemon is only shut down when the system is shutting down. >Could/should the above set of permissions to grant Cron the ability to >rotate audit logs be added to default policy? Yes. Cron should be able to send sigusr1 to the audit daemon. >Perhaps controlled by an additional Boolean? That would make it more explicit that its the desired behavior, so it sounds good to me. >Would it be a better overall solution to add an extra command-line >option to auditctl so that it signals auditd via either SIGUSR1 or a >private control channel? Cron could then be granted permission to run >auditctl instead of directly signalling the daemon. That might be an even bigger permission grant. By allowing cron to run auditctl, it now has the ability to do "auditctl -D" or "-e 0" thereby deactivating the audit system. >Would it perhaps be better to relabel /etc/cron.daily/0auditrotate as >auditctl_exec_t? Still a big permission grant. >I note from auditd.conf's man page that raising the number of logs which >auditd rotates upon receipt of SIGUSR1 may be problematical as it may >require increasing the kernel backlog setting in audit.rules. It depends on how busy your system is regarding audit traffic. If you have a busy system, you'll need to increase the backlog. This is only because the audit damon is busy rotating logs and the queue in the kernel is accumulating events. It should be noted that the audit system only cares about files that fit its naming scheme. renaming the logs will cause the audit system to not look at the files during rotation, but then ausearch/aureport won't automatically know the logs either. >Since the gzip'ed logs would presumably be "invisible" to auditd, but >"visible" to Logwatch's Archive processing, this would still allow >Logwatch to run correctly, whilst reducing the rotation processing >load on auditd itself. That might make it invisible. But gzipping the files will mean that ausearch/aureport will no longer work and you'll have to unzip the files just to use them. >Could/should logwatch_t be granted permission to be an audit_log reader >under latest policy by default, please? I'd be leary of granting this. >Perhaps controlled by an additional Boolean? That might make it slightly better, but I really don't like audit/logwatch integration. What are you actually looking for out of logwatch? >Unfortunately, because of the difference in log format, and the log >timestamping in particular, logwatch is unable to >process /var/log/audit/audit.log "out of the box". >Furthermore, it seems that this script is not capable of properly >handling various non-AVC messages. See...not so good. If I knew what you were after, I could probably show you a better way to do it. >With this all in place, I was finally able to get a daily Logwatch >summary of all audit daemon activity, including all the non-AVC >messages, albeit currently limited to a 4-day history. Have you ever tried aureport? BTW, I put a new FC4 srpm on my people page, but I don't forsee ever building and releasing it through the Fedora Channel since FC4 is no longer in support. You can build it and use it theough. The file is here: http://people.redhat.com/sgrubb/audit/audit-1.0.15-1.fc4.src.rpm I recommend updating to it for anyone that seriously wants auditing on FC4. That version includes a backported version of the realtime interface. -Steve ____________________________________________________________________________________ The all-new Yahoo! Mail beta Fire up a more powerful email and get things done faster. http://new.mail.yahoo.com From robin-lists at robinbowes.com Sun Nov 19 01:08:51 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Sun, 19 Nov 2006 01:08:51 +0000 Subject: error running slimserver on FC6 Message-ID: Hi, I'm running slimserver (http://slimdevices.com) on a minimal FC6 system. I have created a slimserver user with homedir /opt/slimserver, and the main binary runs out of /opt/slimseve/rtrunk/server (I'm running the latest dev version from svn) When I fire it up I get an avc error. audit2allow produces this: allow unconfined_t user_home_t:file execmod; I know how to modify the policy to allow this but I'm wondering how I might go about identifying what's causing the problem and fixing it more specifically, i.e. using chcon or something? This is the full text of the error in audit.log: type=AVC msg=audit(1163892174.128:14): avc: denied { execmod } for pid=1364 comm="slimserver.pl" name="mysql.so" dev=dm-2 ino=200014 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcont ext=root:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1163892174.128:14): arch=40000003 syscall=125 success=no exit=-13 a0=8d0000 a1=2a000 a2=5 a3=bfc37f10 items=0 ppid=1360 pid=1364 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="slimserver.pl" exe="/usr/bin/perl" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1163892174.128:14): path="/opt/slimserver/trunk/server/CPAN/arch/5.8/i386-linux-thread-multi/auto/DBD/mysql/mysql.so" Any idea how I can resolve this? Thanks, R. From linux_4ever at yahoo.com Sun Nov 19 01:22:39 2006 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 18 Nov 2006 17:22:39 -0800 (PST) Subject: error running slimserver on FC6 In-Reply-To: Message-ID: <50236.88018.qm@web51509.mail.yahoo.com> >Any idea how I can resolve this? This is related to text relocations. This page may help spot the problem: http://people.redhat.com/drepper/textrelocs.html -Steve ____________________________________________________________________________________ Sponsored Link Mortgage rates near 39yr lows. $420k for $1,399/mo. Calculate new payment! www.LowerMyBills.com/lre From eric.tanguy at univ-nantes.fr Sun Nov 19 08:20:29 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Sun, 19 Nov 2006 09:20:29 +0100 Subject: sealert and setroubleshoutd Message-ID: <1163924429.3144.3.camel@bureau.maison> I have setroubleshoutd running as a service but i can't run sealert. When i try to run it nothing happen so i tried to run it from root command line with -v : Traceback (most recent call last): File "/usr/bin/sealert", line 440, in ? print s NameError: name 's' is not defined What's the problem ? Thanks Eric From eric.tanguy at univ-nantes.fr Sun Nov 19 10:35:46 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Sun, 19 Nov 2006 11:35:46 +0100 Subject: sealert and setroubleshoutd In-Reply-To: <1163924429.3144.3.camel@bureau.maison> References: <1163924429.3144.3.camel@bureau.maison> Message-ID: <1163932546.3144.8.camel@bureau.maison> Le dimanche 19 novembre 2006 ? 09:20 +0100, Tanguy Eric a ?crit : > I have setroubleshoutd running as a service but i can't run sealert. > When i try to run it nothing happen so i tried to run it from root > command line with -v : > Traceback (most recent call last): > File "/usr/bin/sealert", line 440, in ? > print s > NameError: name 's' is not defined > > What's the problem ? > Thanks > > Eric > In fact, it seems i have the same problem in http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214218 but this seems not fixed yet. Eric From robin-lists at robinbowes.com Sun Nov 19 10:47:35 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Sun, 19 Nov 2006 10:47:35 +0000 Subject: error running slimserver on FC6 In-Reply-To: <50236.88018.qm@web51509.mail.yahoo.com> References: <50236.88018.qm@web51509.mail.yahoo.com> Message-ID: Steve G wrote: >> Any idea how I can resolve this? > > This is related to text relocations. This page may help spot the problem: > > http://people.redhat.com/drepper/textrelocs.html Uh, I read that page and I'm afraid it's beyond me! I checked the slimdevices wiki/FAQ and found this [1]: configure selinux to allow the server to run: '/usr/bin/chcon -R -t texrel_shlib_t /usr/local/slimserver/CPAN/arch' Now, I'm not running the RPM and am running out of /opt/slimserver/trunk/server so I executed: chcon -R -t texrel_shlib_t /opt/slimsever/trunk/server/CPAN/arch That seems to have done the trick - the server is now running! R. [1] http://wiki.slimdevices.com/index.cgi?RPM From jdennis at redhat.com Mon Nov 20 16:24:09 2006 From: jdennis at redhat.com (John Dennis) Date: Mon, 20 Nov 2006 11:24:09 -0500 Subject: sealert and setroubleshoutd In-Reply-To: <1163932546.3144.8.camel@bureau.maison> References: <1163924429.3144.3.camel@bureau.maison> <1163932546.3144.8.camel@bureau.maison> Message-ID: <1164039849.13177.7.camel@finch.boston.redhat.com> On Sun, 2006-11-19 at 11:35 +0100, Tanguy Eric wrote: > Le dimanche 19 novembre 2006 ? 09:20 +0100, Tanguy Eric a ?crit : > > I have setroubleshoutd running as a service but i can't run sealert. > > When i try to run it nothing happen so i tried to run it from root > > command line with -v : > > Traceback (most recent call last): > > File "/usr/bin/sealert", line 440, in ? > > print s > > NameError: name 's' is not defined > > > > What's the problem ? > > Thanks > > > > Eric > > > > In fact, it seems i have the same problem in > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214218 but this > seems not fixed yet. We'll probably be putting a new package in rawhide at the end of today or tomorrow which will fix these problems. BTW, if you want verbose output to diagnose problems you can change the logging configuration in the config file (/etc/setroubleshoot/setroubleshoot.cfg). The daemon (setroubleshootd) and the GUI component (sealert) each have their own logging section in the config file, setroubleshootd_log, sealert_log respectively. There are two values in each section you might want to change, the level value defines what messages get emitted, you probably want 'debug' if you're trying to track a problem down. Normally the logging goes to the log files (/var/log/setroubleshoot/setroubleshoot.log and /tmp/sealert.log), but if you set the 'console' flag to true what is being written to the log file will also be echoed to the console. HTH, new package coming soon... -- John Dennis Red Hat Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From eric.tanguy at univ-nantes.fr Mon Nov 20 19:04:02 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Mon, 20 Nov 2006 20:04:02 +0100 Subject: sealert and setroubleshoutd In-Reply-To: <1164039849.13177.7.camel@finch.boston.redhat.com> References: <1163924429.3144.3.camel@bureau.maison> <1163932546.3144.8.camel@bureau.maison> <1164039849.13177.7.camel@finch.boston.redhat.com> Message-ID: <1164049442.3097.17.camel@bureau.maison> Le lundi 20 novembre 2006 ? 11:24 -0500, John Dennis a ?crit : > On Sun, 2006-11-19 at 11:35 +0100, Tanguy Eric wrote: > > Le dimanche 19 novembre 2006 ? 09:20 +0100, Tanguy Eric a ?crit : > > > I have setroubleshoutd running as a service but i can't run sealert. > > > When i try to run it nothing happen so i tried to run it from root > > > command line with -v : > > > Traceback (most recent call last): > > > File "/usr/bin/sealert", line 440, in ? > > > print s > > > NameError: name 's' is not defined > > > > > > What's the problem ? > > > Thanks > > > > > > Eric > > > > > > > In fact, it seems i have the same problem in > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214218 but this > > seems not fixed yet. > > We'll probably be putting a new package in rawhide at the end of today > or tomorrow which will fix these problems. > > BTW, if you want verbose output to diagnose problems you can change > the logging configuration in the config file > (/etc/setroubleshoot/setroubleshoot.cfg). The daemon (setroubleshootd) > and the GUI component (sealert) each have their own logging section in > the config file, setroubleshootd_log, sealert_log respectively. There > are two values in each section you might want to change, the level > value defines what messages get emitted, you probably want 'debug' if > you're trying to track a problem down. Normally the logging goes to > the log files (/var/log/setroubleshoot/setroubleshoot.log > and /tmp/sealert.log), but if you set the 'console' flag to true what > is being written to the log file will also be echoed to the console. > HTH, new package coming soon... Thanks for the answer John, but putting a new package in rawhide is good for rawhide but useless for Fedora Core 6 users. Can you put also this new package in updates-testing and after in updates ? Eric From eric.tanguy at univ-nantes.fr Mon Nov 20 19:04:02 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Mon, 20 Nov 2006 20:04:02 +0100 Subject: sealert and setroubleshoutd In-Reply-To: <1164039849.13177.7.camel@finch.boston.redhat.com> References: <1163924429.3144.3.camel@bureau.maison> <1163932546.3144.8.camel@bureau.maison> <1164039849.13177.7.camel@finch.boston.redhat.com> Message-ID: <1164049442.3097.17.camel@bureau.maison> Le lundi 20 novembre 2006 ? 11:24 -0500, John Dennis a ?crit : > On Sun, 2006-11-19 at 11:35 +0100, Tanguy Eric wrote: > > Le dimanche 19 novembre 2006 ? 09:20 +0100, Tanguy Eric a ?crit : > > > I have setroubleshoutd running as a service but i can't run sealert. > > > When i try to run it nothing happen so i tried to run it from root > > > command line with -v : > > > Traceback (most recent call last): > > > File "/usr/bin/sealert", line 440, in ? > > > print s > > > NameError: name 's' is not defined > > > > > > What's the problem ? > > > Thanks > > > > > > Eric > > > > > > > In fact, it seems i have the same problem in > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214218 but this > > seems not fixed yet. > > We'll probably be putting a new package in rawhide at the end of today > or tomorrow which will fix these problems. > > BTW, if you want verbose output to diagnose problems you can change > the logging configuration in the config file > (/etc/setroubleshoot/setroubleshoot.cfg). The daemon (setroubleshootd) > and the GUI component (sealert) each have their own logging section in > the config file, setroubleshootd_log, sealert_log respectively. There > are two values in each section you might want to change, the level > value defines what messages get emitted, you probably want 'debug' if > you're trying to track a problem down. Normally the logging goes to > the log files (/var/log/setroubleshoot/setroubleshoot.log > and /tmp/sealert.log), but if you set the 'console' flag to true what > is being written to the log file will also be echoed to the console. > HTH, new package coming soon... Thanks for the answer John, but putting a new package in rawhide is good for rawhide but useless for Fedora Core 6 users. Can you put also this new package in updates-testing and after in updates ? Eric -- fedora-list mailing list fedora-list at redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list From eric.tanguy at univ-nantes.fr Mon Nov 20 19:04:02 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Mon, 20 Nov 2006 20:04:02 +0100 Subject: sealert and setroubleshoutd In-Reply-To: <1164039849.13177.7.camel@finch.boston.redhat.com> References: <1163924429.3144.3.camel@bureau.maison> <1163932546.3144.8.camel@bureau.maison> <1164039849.13177.7.camel@finch.boston.redhat.com> Message-ID: <1164049442.3097.17.camel@bureau.maison> Le lundi 20 novembre 2006 ? 11:24 -0500, John Dennis a ?crit : > On Sun, 2006-11-19 at 11:35 +0100, Tanguy Eric wrote: > > Le dimanche 19 novembre 2006 ? 09:20 +0100, Tanguy Eric a ?crit : > > > I have setroubleshoutd running as a service but i can't run sealert. > > > When i try to run it nothing happen so i tried to run it from root > > > command line with -v : > > > Traceback (most recent call last): > > > File "/usr/bin/sealert", line 440, in ? > > > print s > > > NameError: name 's' is not defined > > > > > > What's the problem ? > > > Thanks > > > > > > Eric > > > > > > > In fact, it seems i have the same problem in > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214218 but this > > seems not fixed yet. > > We'll probably be putting a new package in rawhide at the end of today > or tomorrow which will fix these problems. > > BTW, if you want verbose output to diagnose problems you can change > the logging configuration in the config file > (/etc/setroubleshoot/setroubleshoot.cfg). The daemon (setroubleshootd) > and the GUI component (sealert) each have their own logging section in > the config file, setroubleshootd_log, sealert_log respectively. There > are two values in each section you might want to change, the level > value defines what messages get emitted, you probably want 'debug' if > you're trying to track a problem down. Normally the logging goes to > the log files (/var/log/setroubleshoot/setroubleshoot.log > and /tmp/sealert.log), but if you set the 'console' flag to true what > is being written to the log file will also be echoed to the console. > HTH, new package coming soon... Thanks for the answer John, but putting a new package in rawhide is good for rawhide but useless for Fedora Core 6 users. Can you put also this new package in updates-testing and after in updates ? Eric -- fedora-list mailing list fedora-list at redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list From eric.tanguy at univ-nantes.fr Mon Nov 20 19:04:02 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Mon, 20 Nov 2006 20:04:02 +0100 Subject: sealert and setroubleshoutd In-Reply-To: <1164039849.13177.7.camel@finch.boston.redhat.com> References: <1163924429.3144.3.camel@bureau.maison> <1163932546.3144.8.camel@bureau.maison> <1164039849.13177.7.camel@finch.boston.redhat.com> Message-ID: <1164049442.3097.17.camel@bureau.maison> Le lundi 20 novembre 2006 ? 11:24 -0500, John Dennis a ?crit : > On Sun, 2006-11-19 at 11:35 +0100, Tanguy Eric wrote: > > Le dimanche 19 novembre 2006 ? 09:20 +0100, Tanguy Eric a ?crit : > > > I have setroubleshoutd running as a service but i can't run sealert. > > > When i try to run it nothing happen so i tried to run it from root > > > command line with -v : > > > Traceback (most recent call last): > > > File "/usr/bin/sealert", line 440, in ? > > > print s > > > NameError: name 's' is not defined > > > > > > What's the problem ? > > > Thanks > > > > > > Eric > > > > > > > In fact, it seems i have the same problem in > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214218 but this > > seems not fixed yet. > > We'll probably be putting a new package in rawhide at the end of today > or tomorrow which will fix these problems. > > BTW, if you want verbose output to diagnose problems you can change > the logging configuration in the config file > (/etc/setroubleshoot/setroubleshoot.cfg). The daemon (setroubleshootd) > and the GUI component (sealert) each have their own logging section in > the config file, setroubleshootd_log, sealert_log respectively. There > are two values in each section you might want to change, the level > value defines what messages get emitted, you probably want 'debug' if > you're trying to track a problem down. Normally the logging goes to > the log files (/var/log/setroubleshoot/setroubleshoot.log > and /tmp/sealert.log), but if you set the 'console' flag to true what > is being written to the log file will also be echoed to the console. > HTH, new package coming soon... Thanks for the answer John, but putting a new package in rawhide is good for rawhide but useless for Fedora Core 6 users. Can you put also this new package in updates-testing and after in updates ? Eric -- fedora-list mailing list fedora-list at redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list From olivares14031 at yahoo.com Tue Nov 21 14:17:23 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 21 Nov 2006 06:17:23 -0800 (PST) Subject: denied avc's for hald how to fix Message-ID: <20061121141723.66532.qmail@web52611.mail.yahoo.com> Dear all, I keep getting this avc's. Have updated to latest policies. I keep getting hpiod Failed when shutting down. audit(1164099425.079:4): avc: denied { name_bind } for pid=2140 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket eth0: no IPv6 routers present audit(1164099426.320:5): avc: denied { name_bind } for pid=2145 comm="python" src=2207 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket audit(1164099430.289:6): avc: denied { search } for pid=2325 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1164099430.290:7): avc: denied { search } for pid=2325 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1164099430.290:8): avc: denied { search } for pid=2325 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1164099430.290:9): avc: denied { search } for pid=2325 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1164099430.290:10): avc: denied { search } for pid=2325 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir Thanks for your help, Antonio ____________________________________________________________________________________ Sponsored Link Mortgage rates near 39yr lows. $420k for $1,399/mo. Calculate new payment! www.LowerMyBills.com/lre From eric.tanguy at univ-nantes.fr Mon Nov 20 19:04:02 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Mon, 20 Nov 2006 20:04:02 +0100 Subject: sealert and setroubleshoutd In-Reply-To: <1164039849.13177.7.camel@finch.boston.redhat.com> References: <1163924429.3144.3.camel@bureau.maison> <1163932546.3144.8.camel@bureau.maison> <1164039849.13177.7.camel@finch.boston.redhat.com> Message-ID: <1164049442.3097.17.camel@bureau.maison> Le lundi 20 novembre 2006 ? 11:24 -0500, John Dennis a ?crit : > On Sun, 2006-11-19 at 11:35 +0100, Tanguy Eric wrote: > > Le dimanche 19 novembre 2006 ? 09:20 +0100, Tanguy Eric a ?crit : > > > I have setroubleshoutd running as a service but i can't run sealert. > > > When i try to run it nothing happen so i tried to run it from root > > > command line with -v : > > > Traceback (most recent call last): > > > File "/usr/bin/sealert", line 440, in ? > > > print s > > > NameError: name 's' is not defined > > > > > > What's the problem ? > > > Thanks > > > > > > Eric > > > > > > > In fact, it seems i have the same problem in > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214218 but this > > seems not fixed yet. > > We'll probably be putting a new package in rawhide at the end of today > or tomorrow which will fix these problems. > > BTW, if you want verbose output to diagnose problems you can change > the logging configuration in the config file > (/etc/setroubleshoot/setroubleshoot.cfg). The daemon (setroubleshootd) > and the GUI component (sealert) each have their own logging section in > the config file, setroubleshootd_log, sealert_log respectively. There > are two values in each section you might want to change, the level > value defines what messages get emitted, you probably want 'debug' if > you're trying to track a problem down. Normally the logging goes to > the log files (/var/log/setroubleshoot/setroubleshoot.log > and /tmp/sealert.log), but if you set the 'console' flag to true what > is being written to the log file will also be echoed to the console. > HTH, new package coming soon... Thanks for the answer John, but putting a new package in rawhide is good for rawhide but useless for Fedora Core 6 users. Can you put also this new package in updates-testing and after in updates ? Eric -- fedora-list mailing list fedora-list at redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list From dwalsh at redhat.com Tue Nov 21 21:42:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 21 Nov 2006 16:42:19 -0500 Subject: denied avc's for hald how to fix In-Reply-To: <20061121141723.66532.qmail@web52611.mail.yahoo.com> References: <20061121141723.66532.qmail@web52611.mail.yahoo.com> Message-ID: <456372BB.2030104@redhat.com> Antonio Olivares wrote: > Dear all, > > I keep getting this avc's. Have updated to latest > policies. I keep getting hpiod Failed when shutting > down. > > audit(1164099425.079:4): avc: denied { name_bind } > for pid=2140 comm="hpiod" src=2208 > scontext=system_u:system_r:hplip_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > eth0: no IPv6 routers present > audit(1164099426.320:5): avc: denied { name_bind } > for pid=2145 comm="python" src=2207 > scontext=system_u:system_r:hplip_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > audit(1164099430.289:6): avc: denied { search } for > pid=2325 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1164099430.290:7): avc: denied { search } for > pid=2325 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1164099430.290:8): avc: denied { search } for > pid=2325 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1164099430.290:9): avc: denied { search } for > pid=2325 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1164099430.290:10): avc: denied { search } for > pid=2325 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > > > What version of the OS are you running and have you yum updated policy? Dan > Thanks for your help, > > Antonio > > > > ____________________________________________________________________________________ > Sponsored Link > > Mortgage rates near 39yr lows. $420k for $1,399/mo. > Calculate new payment! www.LowerMyBills.com/lre > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Tue Nov 21 21:43:42 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 21 Nov 2006 16:43:42 -0500 Subject: Semanage/libsemanage Python Errors In-Reply-To: References: Message-ID: <4563730E.3030205@redhat.com> Leffler, Sean wrote: > I was trying to install latest refpolicy from tresys; to do so required > getting files from the development repo (checkpolicy, policycoreutils). > Policycoreutils requires a newer version of libsemanage. > After installing libsemanage-1.6.17 I get this python error when running > semanage > > # semange > Traceback (most recent call last): > File "/usr/sbin/semanage", line 24, in ? > import seobject > File "/usr/lib/python2.4/site-packages/seobject.py", line 25, in ? > from semanage import *; > File "/usr/lib/python2.4/site-packages/semanage.py", line 5, in ? > import _semanage > ImportError: /lib/libsemanage.so.1: undefined symbol: > selinux_file_context_local_path > > Any ideas on how to tackle this? > Thanks gents, > You need to get their version of libsemanage also. Or you can grab the FC6 version. > Sean > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From olivares14031 at yahoo.com Tue Nov 21 22:02:52 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 21 Nov 2006 14:02:52 -0800 (PST) Subject: denied avc's for hald how to fix In-Reply-To: <456372BB.2030104@redhat.com> Message-ID: <985697.25652.qm@web52614.mail.yahoo.com> --- Daniel J Walsh wrote: > Antonio Olivares wrote: > > Dear all, > > > > I keep getting this avc's. Have updated to latest > > policies. I keep getting hpiod Failed when > shutting > > down. > > > > audit(1164099425.079:4): avc: denied { name_bind > } > > for pid=2140 comm="hpiod" src=2208 > > scontext=system_u:system_r:hplip_t:s0 > > tcontext=system_u:object_r:port_t:s0 > tclass=tcp_socket > > eth0: no IPv6 routers present > > audit(1164099426.320:5): avc: denied { name_bind > } > > for pid=2145 comm="python" src=2207 > > scontext=system_u:system_r:hplip_t:s0 > > tcontext=system_u:object_r:port_t:s0 > tclass=tcp_socket > > audit(1164099430.289:6): avc: denied { search } > for > > pid=2325 comm="hald" name="irq" dev=proc > > ino=-268435212 > scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1164099430.290:7): avc: denied { search } > for > > pid=2325 comm="hald" name="irq" dev=proc > > ino=-268435212 > scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1164099430.290:8): avc: denied { search } > for > > pid=2325 comm="hald" name="irq" dev=proc > > ino=-268435212 > scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1164099430.290:9): avc: denied { search } > for > > pid=2325 comm="hald" name="irq" dev=proc > > ino=-268435212 > scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1164099430.290:10): avc: denied { search } > for > > pid=2325 comm="hald" name="irq" dev=proc > > ino=-268435212 > scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > > > > > > What version of the OS are you running and have you > yum updated policy? Running Fedora Core 6 (Zod). I yum update the whole system every 2 to 3 days. Will be out for Thanksgiving Holiday and be back on Monday of next week. Till then, I should send more information that is needed to fix this issue. Regards, Antonio > > Dan > > Thanks for your help, > > > > Antonio > > > > > > > > > ____________________________________________________________________________________ > > Sponsored Link > > > > Mortgage rates near 39yr lows. $420k for > $1,399/mo. > > Calculate new payment! www.LowerMyBills.com/lre > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > ____________________________________________________________________________________ Sponsored Link Mortgage rates near 39yr lows. $420k for $1,399/mo. Calculate new payment! www.LowerMyBills.com/lre From selinux at gmail.com Wed Nov 22 15:21:06 2006 From: selinux at gmail.com (Tom London) Date: Wed, 22 Nov 2006 07:21:06 -0800 Subject: rpm -V/prelink/exec{mem,stack,heap,mod} Message-ID: <4c4ba1530611220721i1b01de28r7807e2097ed959f3@mail.gmail.com> Running rawhide, targeted/enforcing. After some problems completing daily updates, I decided to do a brute force winnowing of the installed packages on my system via: for i in `rpm -qa` do rpm -V $i done This generated lots of chaff, but I did get a few complaints and AVCs from prelink. Here are a few examples: type=AVC msg=audit(1164207673.111:60): avc: denied { execmod } for pid=14045 comm="ld-linux.so.2" name="libSDL-1.2.so.0.7.3.#prelink#.KpNF6b" dev=dm-0 ino=5474274 scontext=user_u:system_r:rpm_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1164207673.111:60): arch=40000003 syscall=125 success=no exit=-13 a0=aa4000 a1=7c000 a2=5 a3=bfe79f30 items=0 ppid=14035 pid=14045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:rpm_t:s0 key=(null) type=AVC_PATH msg=audit(1164207673.111:60): path="/usr/lib/libSDL-1.2.so.0.7.3.#prelink#.KpNF6b" type=AVC msg=audit(1164207351.971:48): avc: denied { execstack } for pid=5126 comm="ld-linux.so.2" scontext=user_u:system_r:rpm_t:s0 tcontext=user_u:system_r:rpm_t:s0 tclass=process type=SYSCALL msg=audit(1164207351.971:48): arch=40000003 syscall=125 success=no exit=-13 a0=bfa65000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=5125 pid=5126 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:rpm_t:s0 key=(null) type=AVC msg=audit(1164207446.818:49): avc: denied { execmem } for pid=6730 comm="ld-linux.so.2" scontext=user_u:system_r:rpm_t:s0 tcontext=user_u:system_r:rpm_t:s0 tclass=process type=SYSCALL msg=audit(1164207446.818:49): arch=40000003 syscall=192 success=no exit=-13 a0=8048000 a1=91b000 a2=7 a3=812 items=0 ppid=6729 pid=6730 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:rpm_t:s0 key=(null) type=AVC msg=audit(1164208640.223:66): avc: denied { execheap } for pid=30931 comm="ld-linux.so.2" scontext=user_u:system_r:rpm_t:s0 tcontext=user_u:system_r:rpm_t:s0 tclass=process type=SYSCALL msg=audit(1164208640.223:66): arch=40000003 syscall=125 success=yes exit=0 a0=4f40d000 a1=6a000 a2=5 a3=bfc234f0 items=0 ppid=30907 pid=30931 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so" subj=user_u:system_r:rpm_t:s0 key=(null) I'm guessing this is probably an (obscure?) edge case, but is there a missing transition from rpm_t to something like prelink_t? Here is a particular case (this one generated the last AVC (execheap) above): [root at localhost ~]# rpm -V compiz prelink: /usr/bin/compiz.#prelink#.bdtGdC Could not trace symbol resolving S.?..... /usr/bin/compiz [root at localhost ~]# setenforce 0 [root at localhost ~]# rpm -V compiz [root at localhost ~]# tom -- Tom London From tony.molloy at ul.ie Fri Nov 24 10:11:49 2006 From: tony.molloy at ul.ie (Tony Molloy) Date: Fri, 24 Nov 2006 10:11:49 +0000 Subject: AVC denied messages for openvpn and procmail Message-ID: <200611241011.50063.tony.molloy@ul.ie> Hi, I'm trying to get up to speed on SElinux so sorry for being so long. I've managed to get rid of various avc denied messages. However I'm getting the following two AVC denied messages from setroubleshoot. They are not causing any problems but I would like to know how to go about getting rid of them. Would I need to have some sort of local policy. I'll include the complete message here. >Summary >SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" >to /etc/openvpn/openvpn.log (openvpn_etc_t). >Detailed Description >SELinux denied access requested by /sbin/ifconfig. It is not expected >that this access is required by /sbin/ifconfig and this access may >signal an intrusion attempt. It is also possible that the specific >version or configuration of the application is causing it to require >additional access. >Allowing Access >Sometimes labeling problems can cause SELinux denials. You could try to >restore the default system file context for /etc/openvpn/openvpn.log, >restorecon -v /etc/openvpn/openvpn.log If this does not work, there is >currently no automatic way to allow this access. Instead, you can >generate a local policy module to allow this access - see FAQ Or you can >disable SELinux protection altogether. Disabling SELinux protection is >not recommended. Please file a bug report against this package. >Additional Information >Source Context system_u:system_r:ifconfig_t:s0 >Target Context system_u:object_r:openvpn_etc_t:s0 >Target Objects /etc/openvpn/openvpn.log [ file ] >Affected RPM Packages net-tools-1.60-73 [application] >Policy RPM selinux-policy-2.4.3-10.fc6 >Selinux Enabled True >Policy Type targeted >MLS Enabled True >Enforcing Mode Enforcing >Plugin Name plugins.catchall >Host Name localhost >Platform Linux localhost 2.6.18-1.8492.fc6 #1 SMP Fri Nov 10 12:45:28 EST >2006 i686 i686 >Raw Audit Messages >avc: denied { write } for comm='"ifconfig"' dev='sda10' egid='0' euid='0' >exe='"/sbin/ifconfig"' exit='0' fsgid='0' fsuid='0' gid='0' items='0' >name='"openvpn.log"' path='"/etc/openvpn/openvpn.log"' pid='2983' >scontext=system_u:system_r:ifconfig_t:s0 sgid='0' >subj='system_u:system_r:ifconfig_t:s0' suid='0' tclass='file' >tcontext=system_u:object_r:openvpn_etc_t:s0 tty='(none)' uid='0' This is on a laptop. I tried "restorecon -v /etc/openvpn/openvpn.log" but since openvpn.log is recreated on each boot then it's always going to have the wrong label. How can I get rid of this. >Summary >SELinux is preventing access to files with the default label, default_t. >Detailed Description >These files have the default label on them. This can indicate a labeling >problem, especially if the files being referred to are not top level >directories. IE everything under /usr, /var. /dev, /tmp, ... should not >be labeled with the default label. The default label is for files who do >not have a label on a parent directory. So if you create a new directory >in / you might legitimately get this label. >Allowing Access >If you want a confined domain to use these files you will probably need >to relabel the file/directory with chcon. In some cases it is just >easier to relabel the system, to relabel execute: "touch /.autorelabel; >reboot" >Additional Information >Source Context system_u:system_r:procmail_t:s0 >Target Context system_u:object_r:default_t:s0 >Target Objects / [ dir ] >Affected RPM Packages procmail-3.22-17.1 [application]filesystem-2.4.0-1 >[target] >Policy RPM selinux-policy-2.4.3-10.fc6 >Selinux Enabled True >Policy Type targeted >MLS Enabled True >Enforcing Mode Enforcing >Plugin Name plugins.default >Host Name localhost >Platform Linux localhost 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST >2006 i686 i686 >Raw Audit Messages >avc: denied { search } for comm='"procmail"' dev='sda8' egid='12' >euid='0' exe='"/usr/bin/procmail"' exit='-13' fsgid='12' fsuid='0' >gid='12' items='0' name='"/"' pid='3112' >scontext=system_u:system_r:procmail_t:s0 sgid='12' >subj='system_u:system_r:procmail_t:s0' suid='0' tclass='dir' >tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' Again I tried "touch /.autorelabel; >reboot" but I keep getting the avc denied message. Regards, Tony -- Tony Molloy. System Manager. Dept. of Comp. Sci. University of Limerick From mantaray_1 at cox.net Fri Nov 24 15:36:25 2006 From: mantaray_1 at cox.net (Ken) Date: Fri, 24 Nov 2006 08:36:25 -0700 Subject: Firefox on strict policy Message-ID: <45671179.90005@cox.net> I am attempting to get a strict policy working on my FC-6 system (version 2.4.3-2.fc6). I have successfully created a user account, and I can log both the root and the user account into the GUI. I am attempting to get Firefox to work and I am having difficulties. If I click on the Firefox icon, I see the program listed as opening, and it stays that way for a few seconds and then disappears. If I check the message log (var/log/messages), there are no messages (either avc or other) generated as a result of the attempt. This only happens when the policy is enforcing. When the policy is is not enforcing, Firefox loads properly -- also with no messages. I have noticed that Firefox is not writing to its .mozilla folder when the policy is enforcing, and that it does write to several files in this folder when it loads properly. This problem affects both my user account and the root account. Can someone please explain why I am not receiving any error messages (or any messages at all), and let me know what needs to be changed in order to load Firefox? From wart at kobold.org Sat Nov 25 00:05:19 2006 From: wart at kobold.org (Wart) Date: Fri, 24 Nov 2006 16:05:19 -0800 Subject: changing squid cache dir Message-ID: <456788BF.90507@kobold.org> I reconfigured my squid to use a cache directory on a filesystem with more space (/space/squid/cache, and relabeled /space/squid and all of its subdirectories with system_u:object_r:squid_cache_t. Now I'm getting AVC denied messages[1] because it seems that squid wants to read from /. setroubleshoot says that I can run "setsebool -P read_default_t=1" to remove this denial, but I'd rather find out why squid wants to read from / and relabel files appropriately. Any ideas? --Wart [1] avc: denied { search } for comm='"squid"' dev='sdb5' egid='0' euid='0' exe='"/usr/sbin/squid"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0' name='"/"' pid='3114' scontext=system_u:system_r:squid_t:s0 sgid='0' subj='system_u:system_r:squid_t:s0' suid='0' tclass='dir' tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' From mjs at ces.clemson.edu Sat Nov 25 19:07:54 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Sat, 25 Nov 2006 14:07:54 -0500 (EST) Subject: cups-lpd Message-ID: Am I supposed to have to disable SELinux protection for cups-lpd in order to use it? After installing and enabling cups-lpd, I can't print using it from a remote system. Disabling SELinux protection in system-config-securitylevel clears the problem. Nov 25 13:57:18 xxxxx kernel: audit(1164481038.379:173): avc: denied { read } for pid=11640 comm="cups-lpd" name="random" dev=tmpfs ino=2172 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From paul at city-fan.org Sun Nov 26 16:47:52 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 26 Nov 2006 16:47:52 +0000 Subject: changing squid cache dir In-Reply-To: <456788BF.90507@kobold.org> References: <456788BF.90507@kobold.org> Message-ID: <1164559682.4562.3.camel@metropolis.intra.city-fan.org> On Fri, 2006-11-24 at 16:05 -0800, Wart wrote: > I reconfigured my squid to use a cache directory on a filesystem with > more space (/space/squid/cache, and relabeled /space/squid and all of > its subdirectories with system_u:object_r:squid_cache_t. > > Now I'm getting AVC denied messages[1] because it seems that squid wants > to read from /. > > setroubleshoot says that I can run "setsebool -P read_default_t=1" to > remove this denial, but I'd rather find out why squid wants to read from > / and relabel files appropriately. Any ideas? > > --Wart > > [1] avc: denied { search } for comm='"squid"' dev='sdb5' egid='0' > euid='0' exe='"/usr/sbin/squid"' exit='-13' fsgid='0' fsuid='0' gid='0' > items='0' name='"/"' pid='3114' scontext=system_u:system_r:squid_t:s0 > sgid='0' subj='system_u:system_r:squid_t:s0' suid='0' tclass='dir' > tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' I suspect that the "/" here is the root directory of the filesystem, most likely /space, and that this problem will go away if you do: # chcon -t var_t /space Paul. From selinux at gmail.com Mon Nov 27 15:13:25 2006 From: selinux at gmail.com (Tom London) Date: Mon, 27 Nov 2006 07:13:25 -0800 Subject: VMware update needs dbus sendmsg Message-ID: <4c4ba1530611270713j7bd638eelc4c82ac29536aa4c@mail.gmail.com> Running latest rawhide, targeted enforcing. I updated VMware from VMware-workstation-5.5.2-29772.i386.rpm to VMware-workstation-5.5.3-34685.i386.rpm. New VMware will not run in enforcing mode, but will in permissive mode. Here is console output from enforcing mode: [tbl at localhost ~]$ vmware GTK Accessibility Module initialized process 4409: Applications must not close shared connections - see dbus_connection_close() docs. This is a bug in the application. D-Bus not built with -rdynamic so unable to print a backtrace GTK Accessibility Module initialized /usr/lib/vmware/bin/vmware: symbol lookup error: /usr/lib/libspi.so.0: undefined symbol: atk_hyperlink_impl_get_type [tbl at localhost ~]$ In permissive mode: [tbl at localhost ~]$ vmware GTK Accessibility Module initialized [tbl at localhost ~]$ In permissive mode, produces many (e.g., >1000) AVCs trying to access DBUS. Here are 2 of them: type=USER_AVC msg=audit(1164639327.028:1041): user pid=2165 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device member=PropertyExists dest=org.freedesktop.Hal spid=4488 tpid=2652 scontext=user_u:system_r:unconfined_execmem_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1164639327.028:1042): user pid=2165 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.25 spid=2652 tpid=4488 scontext=system_u:system_r:hald_t:s0 tcontext=user_u:system_r:unconfined_execmem_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' or allow hald_t unconfined_execmem_t:dbus send_msg; allow unconfined_execmem_t hald_t:dbus send_msg; Make sense to add? tom -- Tom London From dwalsh at redhat.com Mon Nov 27 19:42:59 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Nov 2006 14:42:59 -0500 Subject: cups-lpd In-Reply-To: References: Message-ID: <456B3FC3.70603@redhat.com> Matthew Saltzman wrote: > Am I supposed to have to disable SELinux protection for cups-lpd in > order to use it? > > After installing and enabling cups-lpd, I can't print using it from a > remote system. Disabling SELinux protection in > system-config-securitylevel clears the problem. > > Nov 25 13:57:18 xxxxx kernel: audit(1164481038.379:173): avc: denied > { read } for pid=11640 comm="cups-lpd" name="random" dev=tmpfs > ino=2172 scontext=system_u:system_r:cupsd_lpd_t:s0 > tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file > > I would recommend that you add local policy to fix this. audit2allow -M local -i /var/log/audit/audit.log From dwalsh at redhat.com Mon Nov 27 19:49:54 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Nov 2006 14:49:54 -0500 Subject: AVC denied messages for openvpn and procmail In-Reply-To: <200611241011.50063.tony.molloy@ul.ie> References: <200611241011.50063.tony.molloy@ul.ie> Message-ID: <456B4162.6000700@redhat.com> Tony Molloy wrote: > Hi, > > I'm trying to get up to speed on SElinux so sorry for being so long. > > I've managed to get rid of various avc denied messages. However I'm > getting the following two AVC denied messages from setroubleshoot. They > are not causing any problems but I would like to know how to go about > getting rid of them. Would I need to have some sort of local policy. > > I'll include the complete message here. > > >> Summary >> > > >> SELinux is preventing /sbin/ifconfig (ifconfig_t) "write" >> to /etc/openvpn/openvpn.log (openvpn_etc_t). >> > > >> Detailed Description >> > > >> SELinux denied access requested by /sbin/ifconfig. It is not expected >> that this access is required by /sbin/ifconfig and this access may >> signal an intrusion attempt. It is also possible that the specific >> version or configuration of the application is causing it to require >> additional access. >> > > >> Allowing Access >> > > >> Sometimes labeling problems can cause SELinux denials. You could try to >> restore the default system file context for /etc/openvpn/openvpn.log, >> restorecon -v /etc/openvpn/openvpn.log If this does not work, there is >> currently no automatic way to allow this access. Instead, you can >> generate a local policy module to allow this access - see FAQ Or you can >> disable SELinux protection altogether. Disabling SELinux protection is >> not recommended. Please file a bug report against this package. >> > > >> Additional Information >> > > >> Source Context system_u:system_r:ifconfig_t:s0 >> Target Context system_u:object_r:openvpn_etc_t:s0 >> Target Objects /etc/openvpn/openvpn.log [ file ] >> Affected RPM Packages net-tools-1.60-73 [application] >> Policy RPM selinux-policy-2.4.3-10.fc6 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name plugins.catchall >> Host Name localhost >> Platform Linux localhost 2.6.18-1.8492.fc6 #1 SMP Fri Nov 10 12:45:28 EST >> 2006 i686 i686 >> > > >> Raw Audit Messages >> > > >> avc: denied { write } for comm='"ifconfig"' dev='sda10' egid='0' euid='0' >> exe='"/sbin/ifconfig"' exit='0' fsgid='0' fsuid='0' gid='0' items='0' >> name='"openvpn.log"' path='"/etc/openvpn/openvpn.log"' pid='2983' >> scontext=system_u:system_r:ifconfig_t:s0 sgid='0' >> subj='system_u:system_r:ifconfig_t:s0' suid='0' tclass='file' >> tcontext=system_u:object_r:openvpn_etc_t:s0 tty='(none)' uid='0' >> > > This is on a laptop. I tried "restorecon -v /etc/openvpn/openvpn.log" but > since openvpn.log is recreated on each boot then it's always going to > have the wrong label. How can I get rid of this. > This is a bug in openvpn. Please report to them that they are leaking the open file descript to their log file. Basically it is leaking a file descriptor which is causing this access. This is not really a problem. In that ifconfig does not need this access to function correctly. You can tell setroubleshoot to ignore the message and it will stop bothering you, until openvpn fixes their problem. > > > >> Summary >> > > >> SELinux is preventing access to files with the default label, default_t. >> > > >> Detailed Description >> > > >> These files have the default label on them. This can indicate a labeling >> problem, especially if the files being referred to are not top level >> directories. IE everything under /usr, /var. /dev, /tmp, ... should not >> be labeled with the default label. The default label is for files who do >> not have a label on a parent directory. So if you create a new directory >> in / you might legitimately get this label. >> > > >> Allowing Access >> > > >> If you want a confined domain to use these files you will probably need >> to relabel the file/directory with chcon. In some cases it is just >> easier to relabel the system, to relabel execute: "touch /.autorelabel; >> reboot" >> > > >> Additional Information >> > > >> Source Context system_u:system_r:procmail_t:s0 >> Target Context system_u:object_r:default_t:s0 >> Target Objects / [ dir ] >> Affected RPM Packages procmail-3.22-17.1 [application]filesystem-2.4.0-1 >> [target] >> Policy RPM selinux-policy-2.4.3-10.fc6 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name plugins.default >> Host Name localhost >> Platform Linux localhost 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST >> 2006 i686 i686 >> > > >> Raw Audit Messages >> > > >> avc: denied { search } for comm='"procmail"' dev='sda8' egid='12' >> euid='0' exe='"/usr/bin/procmail"' exit='-13' fsgid='12' fsuid='0' >> gid='12' items='0' name='"/"' pid='3112' >> scontext=system_u:system_r:procmail_t:s0 sgid='12' >> subj='system_u:system_r:procmail_t:s0' suid='0' tclass='dir' >> tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' >> > > > Again I tried "touch /.autorelabel; >reboot" but I keep getting the avc > denied message. > > Regards, > > Tony > / should be labeled root_t? not default_t? ls -lZd / restorcon / ls -lZd / From dwalsh at redhat.com Mon Nov 27 19:53:15 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Nov 2006 14:53:15 -0500 Subject: Firefox on strict policy In-Reply-To: <45671179.90005@cox.net> References: <45671179.90005@cox.net> Message-ID: <456B422B.1030206@redhat.com> Ken wrote: > I am attempting to get a strict policy working on my FC-6 system > (version 2.4.3-2.fc6). I have successfully created a user account, > and I can log both the root and the user account into the GUI. I am > attempting to get Firefox to work and I am having difficulties. If I > click on the Firefox icon, I see the program listed as opening, and it > stays that way for a few seconds and then disappears. If I check the > message log (var/log/messages), there are no messages (either avc or > other) generated as a result of the attempt. This only happens when > the policy is enforcing. When the policy is is not enforcing, Firefox > loads properly -- also with no messages. I have noticed that Firefox > is not writing to its .mozilla folder when the policy is enforcing, > and that it does write to several files in this folder when it loads > properly. This problem affects both my user account and the root > account. Can someone please explain why I am not receiving any error > messages (or any messages at all), and let me know what needs to be > changed in order to load Firefox? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list check /var/log/audit/audit.log for avc messages. I would guess you have a labeling problem on your home dir. restorecon -R -v ~/ From wart at kobold.org Tue Nov 28 15:51:01 2006 From: wart at kobold.org (Wart) Date: Tue, 28 Nov 2006 07:51:01 -0800 Subject: changing squid cache dir In-Reply-To: <1164559682.4562.3.camel@metropolis.intra.city-fan.org> References: <456788BF.90507@kobold.org> <1164559682.4562.3.camel@metropolis.intra.city-fan.org> Message-ID: <456C5AE5.2070707@kobold.org> Paul Howarth wrote: > On Fri, 2006-11-24 at 16:05 -0800, Wart wrote: >> I reconfigured my squid to use a cache directory on a filesystem with >> more space (/space/squid/cache, and relabeled /space/squid and all of >> its subdirectories with system_u:object_r:squid_cache_t. >> >> Now I'm getting AVC denied messages[1] because it seems that squid wants >> to read from /. >> >> setroubleshoot says that I can run "setsebool -P read_default_t=1" to >> remove this denial, but I'd rather find out why squid wants to read from >> / and relabel files appropriately. Any ideas? >> >> --Wart >> >> [1] avc: denied { search } for comm='"squid"' dev='sdb5' egid='0' >> euid='0' exe='"/usr/sbin/squid"' exit='-13' fsgid='0' fsuid='0' gid='0' >> items='0' name='"/"' pid='3114' scontext=system_u:system_r:squid_t:s0 >> sgid='0' subj='system_u:system_r:squid_t:s0' suid='0' tclass='dir' >> tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0' > > I suspect that the "/" here is the root directory of the filesystem, > most likely /space, and that this problem will go away if you do: > > # chcon -t var_t /space That did, indeed, fix it. Thanks! --Wart From Tomtefans at gmail.com Tue Nov 28 18:36:35 2006 From: Tomtefans at gmail.com (Jimmy) Date: Tue, 28 Nov 2006 19:36:35 +0100 Subject: Still unconfined? Message-ID: <456C81B3.2010405@gmail.com> Hi! Im trying to learn SELinux from bottom up, but having some fundamental issues regarding the basics. Im trying to load the mozilla.pp module in targeted, which works fine. I set the correct contexts with restorecon on firefox-bin. But when i run the binary it stills runs in unconfined_t when looking at running processes (ps auxZ). Iv? tried to compile it myself from different sources, and load it, but get the same results all the time. Then i tried with netutils.pp and discovered the same problem witrh ping. Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know im making some really fundamental mistake somewhere, but i cant find out what it is! With best regards / Tomten From mjs at ces.clemson.edu Tue Nov 28 19:05:43 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Tue, 28 Nov 2006 14:05:43 -0500 (EST) Subject: cups-lpd In-Reply-To: <456B3FC3.70603@redhat.com> References: <456B3FC3.70603@redhat.com> Message-ID: On Mon, 27 Nov 2006, Daniel J Walsh wrote: > Matthew Saltzman wrote: >> Am I supposed to have to disable SELinux protection for cups-lpd in order >> to use it? >> >> After installing and enabling cups-lpd, I can't print using it from a >> remote system. Disabling SELinux protection in system-config-securitylevel >> clears the problem. >> >> Nov 25 13:57:18 xxxxx kernel: audit(1164481038.379:173): avc: denied { >> read } for pid=11640 comm="cups-lpd" name="random" dev=tmpfs ino=2172 >> scontext=system_u:system_r:cupsd_lpd_t:s0 >> tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file >> >> > I would recommend that you add local policy to fix this. > > audit2allow -M local -i /var/log/audit/audit.log OK but would you consider it a cups-lpd packaging bug or a policy bug that this does not work out of the box? -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From sds at tycho.nsa.gov Tue Nov 28 19:18:24 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Nov 2006 14:18:24 -0500 Subject: Still unconfined? In-Reply-To: <456C81B3.2010405@gmail.com> References: <456C81B3.2010405@gmail.com> Message-ID: <1164741504.23019.62.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-11-28 at 19:36 +0100, Jimmy wrote: > Hi! > > Im trying to learn SELinux from bottom up, but having some fundamental > issues regarding the basics. > Im trying to load the mozilla.pp module in targeted, which works fine. I > set the correct contexts with restorecon on firefox-bin. But when i run > the binary it stills runs in unconfined_t when looking at running > processes (ps auxZ). > Iv? tried to compile it myself from different sources, and load it, but > get the same results all the time. Then i tried with netutils.pp and > discovered the same problem witrh ping. > > Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know > im making some really fundamental mistake somewhere, but i cant find out > what it is! If mozilla's domain was a "simple" domain, then mozilla.pp would just contain its definition, and you would still need to set up a transition from unconfined_t to mozilla's domain, likely by calling an interface defined by mozilla.if from unconfined.te. But mozilla's domain is templated for instantiation once per user role, and targeted policy has no notion of user roles or domains, mozilla.pp doesn't even contain the actual domain definition, just a few type declarations for file types used for mozilla - the real domain definition happens as a result of template expansion for each user role. In short, mozilla's policy was written for the strict policy. You'd have to do some work to instantiate it for unconfined in targeted and ensure that none of its assumptions are broken there, and your ability to limit what it can do will be severely constrained with targeted policy. -- Stephen Smalley National Security Agency From borzoi at caltanet.it Tue Nov 28 19:40:42 2006 From: borzoi at caltanet.it (Paolo D.) Date: Tue, 28 Nov 2006 20:40:42 +0100 Subject: How to write in Tomcat webapps directory? Message-ID: <005501c71325$17afbfa0$6481a8c0@STEFANENKO> Good evening everybody, I need I can write in Tomcat "webapps" folder, but default SELinux Context var_lib_t doesn't allow it. What's the best way to accomplish my need, before fatal "setenforce 0"? To change SELinux Context to "User data" or "Temporary data"? I see no boolean in SELinux policy through which I can allow writing in this directory, or selectively disable MAC for Tomcat.... Paolo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Nov 28 19:46:21 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 28 Nov 2006 14:46:21 -0500 Subject: Still unconfined? In-Reply-To: <456C81B3.2010405@gmail.com> References: <456C81B3.2010405@gmail.com> Message-ID: <456C920D.2060001@redhat.com> Jimmy wrote: > Hi! > > Im trying to learn SELinux from bottom up, but having some fundamental > issues regarding the basics. > Im trying to load the mozilla.pp module in targeted, which works fine. > I set the correct contexts with restorecon on firefox-bin. But when i > run the binary it stills runs in unconfined_t when looking at running > processes (ps auxZ). > Iv? tried to compile it myself from different sources, and load it, > but get the same results all the time. Then i tried with netutils.pp > and discovered the same problem witrh ping. > > Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know > im making some really fundamental mistake somewhere, but i cant find > out what it is! > > With best regards / Tomten > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You need to write a transition rule from unconfined_t to mozilla_t Something like mozilla_per_role_template(user, unconfined_t, system_r) But there is a bug in policy right now gen_require(` type mozilla_exec_t; type mozilla_conf_t; ') Needs to be added to the mozilla_per_role_template interface definition. From tibbs at math.uh.edu Tue Nov 28 19:58:58 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 28 Nov 2006 13:58:58 -0600 Subject: Policy for denyhosts Message-ID: I would like to revisit the issue of denyhosts and selinux and address it properly. From what I gather from the earlier discussion, it would be best to write a proper policy for denyhosts. Unfortunately, I'm almost completely ignorant of what needs to happen here. Here's some essential info about denyhosts: Denyhosts is written in python. It runs as root either as a daemon or spawned from cron. It consists of an executable script (/usr/bin/denyhosts.py), some python modules in /usr/lib/python2.4/site-packages/DenyHosts, a config file (/etc/denyhosts.conf), and some databases under /var/lib/denyhosts. During its operation it reads /var/log/secure, maintains databases and such under /var/lib/denyhosts, and writes to /etc/hosts.deny. It may also make some xmlrpc calls out over the 'net if so configured (although by default this is not the case). One complication is that denyhosts can call out to user-supplied scripts which can do pretty much anything. I've no idea how to properly handle that kind of thing. Could someone perhaps help me to get started with a policy? - J< From sds at tycho.nsa.gov Tue Nov 28 20:51:40 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Nov 2006 15:51:40 -0500 Subject: Policy for denyhosts In-Reply-To: References: Message-ID: <1164747100.23019.116.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-11-28 at 13:58 -0600, Jason L Tibbitts III wrote: > I would like to revisit the issue of denyhosts and selinux and address > it properly. From what I gather from the earlier discussion, it would > be best to write a proper policy for denyhosts. Unfortunately, I'm > almost completely ignorant of what needs to happen here. > > Here's some essential info about denyhosts: > > Denyhosts is written in python. It runs as root either as a daemon or > spawned from cron. It consists of an executable script > (/usr/bin/denyhosts.py), some python modules in > /usr/lib/python2.4/site-packages/DenyHosts, a config file > (/etc/denyhosts.conf), and some databases under /var/lib/denyhosts. > > During its operation it reads /var/log/secure, maintains databases and > such under /var/lib/denyhosts, and writes to /etc/hosts.deny. The delicate issue there is that other programs read /etc/hosts.deny, so if we move it into its own type (so that we only have to allow denyhosts to write to it and not other files in /etc), then we have to adjust any other domains that need to read the new type. An intermediate point is to push it into etc_runtime_t, a generic type used for runtime generated or modified etc files. > It may > also make some xmlrpc calls out over the 'net if so configured > (although by default this is not the case). So network access could be under a boolean. > One complication is that denyhosts can call out to user-supplied > scripts which can do pretty much anything. I've no idea how to > properly handle that kind of thing. User-supplied or admin-supplied? The scripts should run with the full privileges of denyhosts or with a reduced subset? > Could someone perhaps help me to get started with a policy? Most people start with an existing module from the policy sources (.src.rpm or upstream tarball) and work from it, or use /usr/share/selinux/devel/policygentool (from selinux-policy-devel) to create an initial stub. Or use SLIDE and its module building wizard if you are into Eclipse. You need to create a .te file with the policy declarations and rules, a .fc file with the file contexts, and an .if file with an interfaces the policy module exports to others (e.g. to access the /etc/hosts.deny file if you put it into a private type, or to transition into the denyhosts domain from a caller). Incomplete samples below, no guarantees on correctness... denyhosts.te: policy_module(denyhosts, 1.0.0) ############## # # Declarations # type denyhosts_t; # type for the running process type denyhosts_exec_t; # type for the executable on disk init_daemon_domain(denyhosts_t, denyhosts_exec_t) # runs as a daemon cron_system_entry(denyhosts_t, denyhosts_exec_t) # and as a cron job type denyhosts_conf_t; files_config_file(denyhosts_conf_t) type denyhosts_var_run_t; files_pid_file(denyhosts_var_run_t) type denyhosts_var_lib_t; files_type(denyhosts_var_lib_t) ########################### # # Local policy # allow denyhosts_t denyhosts_conf_t:file r_file_perms; files_search_etc(denyhosts_t) allow denyhosts_t denyhosts_var_run_t:file create_file_perms; allow denyhosts_t denyhosts_var_run_t:dir rw_dir_perms; files_pid_filetrans(denyhosts_t,denyhosts_var_run_t,file) allow denyhosts_t denyhosts_var_lib_t:dir rw_dir_perms; allow denyhosts_t denyhosts_var_lib_t:file create_file_perms; files_var_lib_filetrans(denyhosts_t,denyhosts_var_lib_t,file) corecmd_exec_bin(denyhosts_t) corecmd_exec_shell(denyhosts_t) corecmd_search_sbin(denyhosts_t) files_read_usr_files(denyhosts_t) files_read_etc_files(denyhosts_t) files_read_etc_runtime_files(denyhosts_t) denyhosts.fc: /usr/bin/denyhosts.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) /etc/denyhosts.conf -- gen_context(system_u:object_r:denyhosts_conf_t,s0) /var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) -- Stephen Smalley National Security Agency From tibbs at math.uh.edu Wed Nov 29 03:01:58 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 28 Nov 2006 21:01:58 -0600 Subject: Policy for denyhosts In-Reply-To: <1164747100.23019.116.camel@moss-spartans.epoch.ncsc.mil> References: <1164747100.23019.116.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Thanks for the info! >>>>> "SS" == Stephen Smalley writes: SS> The delicate issue there is that other programs read SS> /etc/hosts.deny, so if we move it into its own type (so that we SS> only have to allow denyhosts to write to it and not other files in SS> /etc), then we have to adjust any other domains that need to read SS> the new type. Ah, of course, you can't allow something to read a file by name, just by type. Mighty inconvenient, that. SS> User-supplied or admin-supplied? The scripts should run with the SS> full privileges of denyhosts or with a reduced subset? Admin-supplied, I suppose. This is essentially an admin-only application; you have to explicitly modify the root-owned config file in order to enable a particular script. I can't speak to what the scripts should be able to do. Folks could be doing anything at all with them (as they're called via exec), but I suspect they're not being used at all in the vast majority of cases. Is it possible for the end-user (end-admin?) to do something quick to force an executable to transition into the unconfined domain? I'll have to dig into the policy bits you sent; most of it is self-explanatory but I'm sure there are many subtleties I'm missing. - J< From jeff at ultimateevil.org Wed Nov 29 04:00:51 2006 From: jeff at ultimateevil.org (Jeff Carlson) Date: Tue, 28 Nov 2006 20:00:51 -0800 Subject: Policy for denyhosts In-Reply-To: References: Message-ID: <456D05F3.1050201@ultimateevil.org> Jason L Tibbitts III wrote: > During its operation it reads /var/log/secure, maintains databases and > such under /var/lib/denyhosts, and writes to /etc/hosts.deny. It may > also make some xmlrpc calls out over the 'net if so configured > (although by default this is not the case). I just wanted to point out that I don't run DenyHosts to write directly to hosts.deny. Here is how I have tcpwrappers configured: ---- hosts.allow ---- # Whitelist my LAN ALL: 192.168.1.0/255.255.255.0 sshd: /etc/hosts.deny.sshd : DENY sshd: /etc/hosts.allow.us # hosts.allow.us is a list of IPs in the USA only, since that's # where I live. No reason to accept SSH from where I don't. ---- hosts.deny ---- ALL: ALL So, hosts.deny just denies everything, and services need to be whitelisted in hosts.allow. I have DenyHosts write to /etc/hosts.deny.sshd, and any IP not in the US is already denied. As you can see, it would be pointless to append to hosts.deny. I'm sure there are plenty of other people who do it this way, since it's a configuration option in DenyHosts. I just wanted to point it out so you don't go making changes to the SELinux policy and leave out the possibility of writing to an alternate deny file like I have done. From tibbs at math.uh.edu Wed Nov 29 04:06:02 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 28 Nov 2006 22:06:02 -0600 Subject: Policy for denyhosts In-Reply-To: <456D05F3.1050201@ultimateevil.org> References: <456D05F3.1050201@ultimateevil.org> Message-ID: >>>>> "JC" == Jeff Carlson writes: JC> I just wanted to point out that I don't run DenyHosts to write JC> directly to hosts.deny. And you have selinux enabled, and it already gets the proper context on /etc/hosts.deny.sshd? Because this doesn't seem to be working for others. JC> I'm sure there are plenty of other people who do it this way, JC> since it's a configuration option in DenyHosts. There are myriad configuration options in Denyhosts. We have to start somewhere, but I welcome you to test any policy that ends up being written and provide fixes for your particular setup. - J< From jeff at ultimateevil.org Wed Nov 29 05:08:41 2006 From: jeff at ultimateevil.org (Jeff Carlson) Date: Tue, 28 Nov 2006 21:08:41 -0800 Subject: Policy for denyhosts In-Reply-To: References: <456D05F3.1050201@ultimateevil.org> Message-ID: <456D15D9.4080408@ultimateevil.org> Jason L Tibbitts III wrote: > And you have selinux enabled, and it already gets the proper context > on /etc/hosts.deny.sshd? Because this doesn't seem to be working for > others. Well, my SSH gateway is still running FC-4, targeted policy. $ ls -Z hosts.deny{,.sshd} -rw-r--r-- root root root:object_r:etc_t hosts.deny -rw-r--r-- root root root:object_r:etc_t hosts.deny.sshd I'm not sure if that was just blind luck or what, but it's working fine for me. > There are myriad configuration options in Denyhosts. We have to start > somewhere, but I welcome you to test any policy that ends up being > written and provide fixes for your particular setup. I'm sure that whatever is done, all that I will have to do is copy the context from hosts.deny to hosts.deny.sshd. I'd just hate to be surprised if it stopped working without notice. I'll keep an eye on this list as usual and if a change is made, I'll see if I can implement it on my legacy system (or motivate my lazy self to upgrade). From eric.tanguy at univ-nantes.fr Wed Nov 29 07:49:21 2006 From: eric.tanguy at univ-nantes.fr (Tanguy Eric) Date: Wed, 29 Nov 2006 08:49:21 +0100 Subject: sealert and setroubleshootd Message-ID: <1164786562.3086.6.camel@bureau.maison> The new setroubleshoot version solved the problem i had and i find it very usefull, helpfull and efficient. Thanks for this! But 2 remarks : the day is given in french format on my system but not the time which is given in anglosaxon format but without am or pm. It's annoying. It will be better if the time is given as the specified format (ie 24h format). The system would be more helpfull with a translation of all fields because sometimes the messages are subtil to understand. Thank you again for this usefull tool. Eric From srinivasa at in.ibm.com Wed Nov 29 14:12:01 2006 From: srinivasa at in.ibm.com (Srinivasa Ds) Date: Wed, 29 Nov 2006 19:42:01 +0530 Subject: Getting avc denied messages for mounting iso images on loopback device Message-ID: <456D9531.3070101@in.ibm.com> Hi all I tried to mount an iso image on a loopback device in FC6,Iam getting this error. ======================= audit(1164321995.887:79): avc: denied { read } for pid=2969 comm="pam_console_app" name="/" dev=loop0 ino=1472 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir audit(1164321995.887:80): avc: denied { read } for pid=2966 comm="pam_console_app" name="/" dev=loop0 ino=1472 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=dir ======================================================= I was doing this operation through ssh.This works if selinux is disabled. Is there any fix for this?? Thanks Srinivasa DS From paul at city-fan.org Wed Nov 29 13:02:22 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 29 Nov 2006 13:02:22 +0000 Subject: Getting avc denied messages for mounting iso images on loopback device In-Reply-To: <456D9531.3070101@in.ibm.com> References: <456D9531.3070101@in.ibm.com> Message-ID: <456D84DE.2090304@city-fan.org> Srinivasa Ds wrote: > Hi all > > I tried to mount an iso image on a loopback device in FC6,Iam getting > this error. > > ======================= > > audit(1164321995.887:79): avc: denied { read } for pid=2969 > comm="pam_console_app" name="/" dev=loop0 ino=1472 > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:iso9660_t:s0 tclass=dir > audit(1164321995.887:80): avc: denied { read } for pid=2966 > comm="pam_console_app" name="/" dev=loop0 ino=1472 > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:iso9660_t:s0 tclass=dir > > ======================================================= > > I was doing this operation through ssh.This works if selinux is disabled. > Is there any fix for this?? I'm not seeing this, but then I use a context mount option in /etc/fstab since I'm going to export the mounted ISOs using httpd: /path/to/iso/my.iso /path/to/mountpoint iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0 Paul. From tibbs at math.uh.edu Wed Nov 29 15:06:52 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 29 Nov 2006 09:06:52 -0600 Subject: Policy for denyhosts In-Reply-To: <456D15D9.4080408@ultimateevil.org> References: <456D05F3.1050201@ultimateevil.org> <456D15D9.4080408@ultimateevil.org> Message-ID: >>>>> "JC" == Jeff Carlson writes: JC> Well, my SSH gateway is still running FC-4, targeted policy. Very little chance that this policy would make it into FC4. Probably FC7 only, honestly. - J< From jdennis at redhat.com Wed Nov 29 15:26:52 2006 From: jdennis at redhat.com (John Dennis) Date: Wed, 29 Nov 2006 10:26:52 -0500 Subject: sealert and setroubleshootd In-Reply-To: <1164786562.3086.6.camel@bureau.maison> References: <1164786562.3086.6.camel@bureau.maison> Message-ID: <1164814012.7774.13.camel@finch.boston.redhat.com> On Wed, 2006-11-29 at 08:49 +0100, Tanguy Eric wrote: > The new setroubleshoot version solved the problem i had and i find it > very usefull, helpfull and efficient. > Thanks for this! > But 2 remarks : > the day is given in french format on my system but not the time which is > given in anglosaxon format but without am or pm. It's annoying. It will > be better if the time is given as the specified format (ie 24h format). Good point, please file a bug report on issues like this, makes it easier to track, I opened this bug report for you: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217710 I'll probably just use the c library strftime locale (e.g. %c) to do the translation, in this instance the new format for you would be this: mer 29 nov 2006 10:18:45 O.K.? > The system would be more helpfull with a translation of all fields > because sometimes the messages are subtil to understand. More translations have been added recently. Once I get the source out of the Red Hat CVS and into a public "project" where the translations can be edited by others anyone can jump in and help translate their language. > Thank you again for this usefull tool. You're welcome, it's appreciation like this which makes it worthwhile, thanks. -- John Dennis Red Hat Inc. From dwalsh at redhat.com Wed Nov 29 18:09:59 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Nov 2006 13:09:59 -0500 Subject: How to write in Tomcat webapps directory? In-Reply-To: <005501c71325$17afbfa0$6481a8c0@STEFANENKO> References: <005501c71325$17afbfa0$6481a8c0@STEFANENKO> Message-ID: <456DCCF7.2060405@redhat.com> Paolo D. wrote: > Good evening everybody, > I need I can write in Tomcat "webapps" folder, but default SELinux > Context var_lib_t doesn't allow it. > What's the best way to accomplish my need, before fatal "setenforce 0"? > To change SELinux Context to "User data" or "Temporary data"? > I see no boolean in SELinux policy through which I can allow writing > in this directory, or selectively disable MAC for Tomcat.... > > Paolo > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list If you want apache/tomcat to be able to write to a directory, you can set the context to httpd_sys_content_t. If this is a standard directory, we should set it up with default policy. From dwalsh at redhat.com Wed Nov 29 18:32:47 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Nov 2006 13:32:47 -0500 Subject: Policy for denyhosts In-Reply-To: References: <456D05F3.1050201@ultimateevil.org> <456D15D9.4080408@ultimateevil.org> Message-ID: <456DD24F.4040301@redhat.com> Jason L Tibbitts III wrote: >>>>>> "JC" == Jeff Carlson writes: >>>>>> > > JC> Well, my SSH gateway is still running FC-4, targeted policy. > > Very little chance that this policy would make it into FC4. Probably > FC7 only, honestly. > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > A better solution from the SELinux point of view is to add a new directory. and /etc/denyhosts/ and put your configuration files there. Then the script can read and write that directory. Putting modifiable files in /etc is a bad idea from an SELinux point of view. From dwalsh at redhat.com Wed Nov 29 18:33:55 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Nov 2006 13:33:55 -0500 Subject: cups-lpd In-Reply-To: References: <456B3FC3.70603@redhat.com> Message-ID: <456DD293.50502@redhat.com> Matthew Saltzman wrote: > On Mon, 27 Nov 2006, Daniel J Walsh wrote: > >> Matthew Saltzman wrote: >>> Am I supposed to have to disable SELinux protection for cups-lpd in >>> order to use it? >>> >>> After installing and enabling cups-lpd, I can't print using it from >>> a remote system. Disabling SELinux protection in >>> system-config-securitylevel clears the problem. >>> >>> Nov 25 13:57:18 xxxxx kernel: audit(1164481038.379:173): avc: >>> denied { read } for pid=11640 comm="cups-lpd" name="random" >>> dev=tmpfs ino=2172 scontext=system_u:system_r:cupsd_lpd_t:s0 >>> tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file >>> >>> >> I would recommend that you add local policy to fix this. >> >> audit2allow -M local -i /var/log/audit/audit.log > > OK but would you consider it a cups-lpd packaging bug or a policy bug > that this does not work out of the box? > No this is a bug in policy and will be fixed in selinux-policy-2.4.6-1 From dwalsh at redhat.com Wed Nov 29 18:37:37 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Nov 2006 13:37:37 -0500 Subject: Still unconfined? In-Reply-To: <456C920D.2060001@redhat.com> References: <456C81B3.2010405@gmail.com> <456C920D.2060001@redhat.com> Message-ID: <456DD371.1030702@redhat.com> Daniel J Walsh wrote: > Jimmy wrote: >> Hi! >> >> Im trying to learn SELinux from bottom up, but having some >> fundamental issues regarding the basics. >> Im trying to load the mozilla.pp module in targeted, which works >> fine. I set the correct contexts with restorecon on firefox-bin. But >> when i run the binary it stills runs in unconfined_t when looking at >> running processes (ps auxZ). >> Iv? tried to compile it myself from different sources, and load it, >> but get the same results all the time. Then i tried with netutils.pp >> and discovered the same problem witrh ping. >> >> Why doesnt firefox get transfered to the $1_mozilla_t domain??? I >> know im making some really fundamental mistake somewhere, but i cant >> find out what it is! >> >> With best regards / Tomten >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > You need to write a transition rule from unconfined_t to mozilla_t > > Something like > > mozilla_per_role_template(user, unconfined_t, system_r) > > > But there is a bug in policy right now > > gen_require(` > type mozilla_exec_t; > type mozilla_conf_t; > ') > > Needs to be added to the mozilla_per_role_template interface definition. > Looking further into this, I realize there is a lot of work to be done to make this happen. I think it is better to work on a simpler domain. I plan on adding a confinement of mozilla in FC7. But right now an concentrating on RHEL 5/FC6 > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From tibbs at math.uh.edu Wed Nov 29 18:38:24 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 29 Nov 2006 12:38:24 -0600 Subject: Policy for denyhosts In-Reply-To: <456DD24F.4040301@redhat.com> References: <456D05F3.1050201@ultimateevil.org> <456D15D9.4080408@ultimateevil.org> <456DD24F.4040301@redhat.com> Message-ID: >>>>> "DJW" == Daniel J Walsh writes: DJW> A better solution from the SELinux point of view is to add a new DJW> directory. and /etc/denyhosts/ and put your configuration files DJW> there. I'm not sure what you're referring to. There's only one configuration file and it's not modified by the program. Surely you can't be saying that every package that has a configuration file in /etc needs to move it into a subdirectory. If /etc/hosts.deny is the problem, well, that's the location of the file. The denyhosts package doesn't own it. - J< From sds at tycho.nsa.gov Wed Nov 29 18:55:06 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 29 Nov 2006 13:55:06 -0500 Subject: Policy for denyhosts In-Reply-To: References: <1164747100.23019.116.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1164826506.23019.214.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-11-28 at 21:01 -0600, Jason L Tibbitts III wrote: > Thanks for the info! > > >>>>> "SS" == Stephen Smalley writes: > > SS> The delicate issue there is that other programs read > SS> /etc/hosts.deny, so if we move it into its own type (so that we > SS> only have to allow denyhosts to write to it and not other files in > SS> /etc), then we have to adjust any other domains that need to read > SS> the new type. > > Ah, of course, you can't allow something to read a file by name, just > by type. Mighty inconvenient, that. Inconvenient, but correct. > SS> User-supplied or admin-supplied? The scripts should run with the > SS> full privileges of denyhosts or with a reduced subset? > > Admin-supplied, I suppose. This is essentially an admin-only > application; you have to explicitly modify the root-owned config file > in order to enable a particular script. Ok, that simplifies matters. > I can't speak to what the scripts should be able to do. Folks could > be doing anything at all with them (as they're called via exec), but I > suspect they're not being used at all in the vast majority of cases. > Is it possible for the end-user (end-admin?) to do something quick to > force an executable to transition into the unconfined domain? Yes, if you include the following in your denyhosts policy: unconfined_domtrans(denyhosts_t) Then the admin would just need to assign unconfined_exec_t to the executable. But you would likely want that under a boolean too, so that an admin could choose to never allow denyhosts to escalate to unconfined. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Nov 29 18:57:15 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 29 Nov 2006 13:57:15 -0500 Subject: Policy for denyhosts In-Reply-To: References: <456D05F3.1050201@ultimateevil.org> <456D15D9.4080408@ultimateevil.org> <456DD24F.4040301@redhat.com> Message-ID: <1164826635.23019.217.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-11-29 at 12:38 -0600, Jason L Tibbitts III wrote: > >>>>> "DJW" == Daniel J Walsh writes: > > DJW> A better solution from the SELinux point of view is to add a new > DJW> directory. and /etc/denyhosts/ and put your configuration files > DJW> there. > > I'm not sure what you're referring to. There's only one configuration > file and it's not modified by the program. Surely you can't be saying > that every package that has a configuration file in /etc needs to move > it into a subdirectory. > > If /etc/hosts.deny is the problem, well, that's the location of the > file. The denyhosts package doesn't own it. Yes, /etc/hosts.deny is the issue. The halfway step is to move it into etc_runtime_t and allow denyhosts to write to that type, thereby only opening up access to the set of files in that type and not all of etc_t. The fine-grained step is to move it into its own private type. Either way may involve some changes to other policy modules for processes that need to access that file, but the former should have smaller impact. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Nov 29 19:51:01 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Nov 2006 14:51:01 -0500 Subject: Policy for denyhosts In-Reply-To: References: <456D05F3.1050201@ultimateevil.org> <456D15D9.4080408@ultimateevil.org> <456DD24F.4040301@redhat.com> Message-ID: <456DE4A5.30002@redhat.com> Jason L Tibbitts III wrote: >>>>>> "DJW" == Daniel J Walsh writes: >>>>>> > > DJW> A better solution from the SELinux point of view is to add a new > DJW> directory. and /etc/denyhosts/ and put your configuration files > DJW> there. > > I'm not sure what you're referring to. There's only one configuration > file and it's not modified by the program. Surely you can't be saying > that every package that has a configuration file in /etc needs to move > it into a subdirectory. > > If /etc/hosts.deny is the problem, well, that's the location of the > file. The denyhosts package doesn't own it. > > - J< > Jeff Carlson used a syntax that looked like you could put the hosts.deny files in a location other than /etc ---- hosts.allow ---- # Whitelist my LAN ALL: 192.168.1.0/255.255.255.0 sshd: /etc/hosts.deny.sshd : DENY sshd: /etc/hosts.allow.us # hosts.allow.us is a list of IPs in the USA only, since that's # where I live. No reason to accept SSH from where I don't. ---- hosts.deny ---- ALL:ALL I was suggesting you could write the tool in such a way that it had those files in a separate location. One thing we might want to consider, is adding an attribute ETCFILE or some such and changing files_read_etc_files() to allow reading of these files. This way new tools could define types of files that they want to manage and still allow all of the domains that want to read /etc files succeed. I have a tool right now that wants to manage /etc/fstab. Dan From tibbs at math.uh.edu Wed Nov 29 20:02:26 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 29 Nov 2006 14:02:26 -0600 Subject: Policy for denyhosts In-Reply-To: <456DE4A5.30002@redhat.com> References: <456D05F3.1050201@ultimateevil.org> <456D15D9.4080408@ultimateevil.org> <456DD24F.4040301@redhat.com> <456DE4A5.30002@redhat.com> Message-ID: >>>>> "DJW" == Daniel J Walsh writes: DJW> Jeff Carlson used a syntax that looked like you could put the DJW> hosts.deny files in a location other than /etc Well, you can have denyhosts manage some file other than hosts.deny, but that is not the usual configuration. It might be simpler if that was the default, but I can't really say (since you'd still need to get the context right on that file so that tcp_wrappers could read it) and migrating all existing denyhosts installations on Fedora machines would be nontrivial. DJW> I was suggesting you could write the tool in such a way that it DJW> had those files in a separate location. Well, I'm just the maintainer of denyhosts in Fedora Extras. I don't intend to go rewriting it. - J< From steve at adsi-m4.com Wed Nov 29 23:41:03 2006 From: steve at adsi-m4.com (Steve Friedman) Date: Wed, 29 Nov 2006 18:41:03 -0500 (EST) Subject: post direct-file-modification commands Message-ID: The various GUI tools are nice for getting a policy configured correctly; however, to propagate this configuration to a series of like modified machines one runs into a speed bump. The files (e.g., booleans.local) state that the semanage command should be used to modify the file; however, via the GUI I am blissfully unaware of the actual commands (and would like to remain so). But, it would seem that it should be perfectly legal to propagate the various ".local" files directly. If this is legal, what commands must be issued to cause selinux to read the various policy updates? If this isn't legal, then what means can be used to propagate the policy? Steve Friedman From sds at tycho.nsa.gov Thu Nov 30 13:21:44 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 30 Nov 2006 08:21:44 -0500 Subject: post direct-file-modification commands In-Reply-To: References: Message-ID: <1164892904.23019.313.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote: > The various GUI tools are nice for getting a policy configured correctly; > however, to propagate this configuration to a series of like modified > machines one runs into a speed bump. > > The files (e.g., booleans.local) state that the semanage command should be > used to modify the file; however, via the GUI I am blissfully unaware of > the actual commands (and would like to remain so). > > But, it would seem that it should be perfectly legal to propagate the > various ".local" files directly. If this is legal, what commands must be > issued to cause selinux to read the various policy updates? If this isn't > legal, then what means can be used to propagate the policy? I don't think it is "legal" in the sense that those files are the private state of libsemanage and are only supposed to be manipulated via the libsemanage interfaces by programs like semodule, semanage and setsebool. libsemanage will ultimately support other backends beyond just the current direct access to the local file store, such as access to local and ultimately remote policy management daemons. However, I'm not sure that there is a good mechanism at present to do what you want in a "legal" way (Joshua or Karl feel free to contradict me if there is). If you do simply copy them over using your favorite utility for doing so, you can run semodule -B on the target machine to force a rebuild and reload of the kernel policy from the updated policy store there. Not sure if that is exported through any GUI at present. -- Stephen Smalley National Security Agency From jbrindle at tresys.com Thu Nov 30 15:12:43 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Thu, 30 Nov 2006 10:12:43 -0500 Subject: post direct-file-modification commands In-Reply-To: <456EF1E8.1050305@mentalrootkit.com> Message-ID: <6FE441CD9F0C0C479F2D88F959B015885C808A@exchange.columbia.tresys.com> > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > > Stephen Smalley wrote: > > On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote: > >> The various GUI tools are nice for getting a policy configured > >> correctly; however, to propagate this configuration to a series of > >> like modified machines one runs into a speed bump. > >> > >> The files (e.g., booleans.local) state that the semanage command > >> should be used to modify the file; however, via the GUI I am > >> blissfully unaware of the actual commands (and would like > to remain so). > >> > >> But, it would seem that it should be perfectly legal to > propagate the > >> various ".local" files directly. If this is legal, what commands > >> must be issued to cause selinux to read the various policy > updates? > >> If this isn't legal, then what means can be used to > propagate the policy? > > > > I don't think it is "legal" in the sense that those files are the > > private state of libsemanage and are only supposed to be > manipulated > > via the libsemanage interfaces by programs like semodule, > semanage and > > setsebool. libsemanage will ultimately support other > backends beyond > > just the current direct access to the local file store, > such as access > > to local and ultimately remote policy management daemons. > > > > However, I'm not sure that there is a good mechanism at > present to do > > what you want in a "legal" way (Joshua or Karl feel free to > contradict > > me if there is). If you do simply copy them over using > your favorite > > utility for doing so, you can run semodule -B on the target > machine to > > force a rebuild and reload of the kernel policy from the updated > > policy store there. Not sure if that is exported through > any GUI at present. > > > > I think that this is needed functionality. Opened a bug - > http://sourceforge.net/tracker/index.php?func=detail&aid=16061 03&group_id=21266&atid=121266. > At some point in the near (hopefully) future we'll be putting the network libsemanage backend into the library and after that a simple daemon could be written to send policy and local changes across the network. This would, ofcourse, be the predecessor to a full policy server with access control on policy changes. From steve at adsi-m4.com Thu Nov 30 15:31:40 2006 From: steve at adsi-m4.com (Steve Friedman) Date: Thu, 30 Nov 2006 10:31:40 -0500 (EST) Subject: post direct-file-modification commands In-Reply-To: <6FE441CD9F0C0C479F2D88F959B015885C808A@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B015885C808A@exchange.columbia.tresys.com> Message-ID: On Thu, 30 Nov 2006, Joshua Brindle wrote: >> From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] >> >> Stephen Smalley wrote: >>> On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote: >>>> The various GUI tools are nice for getting a policy configured >>>> correctly; however, to propagate this configuration to a series of >>>> like modified machines one runs into a speed bump. >>>> >>>> The files (e.g., booleans.local) state that the semanage command >>>> should be used to modify the file; however, via the GUI I am >>>> blissfully unaware of the actual commands (and would like >> to remain so). >>>> >>>> But, it would seem that it should be perfectly legal to >> propagate the >>>> various ".local" files directly. If this is legal, what commands >>>> must be issued to cause selinux to read the various policy >> updates? >>>> If this isn't legal, then what means can be used to >> propagate the policy? >>> >>> I don't think it is "legal" in the sense that those files are the >>> private state of libsemanage and are only supposed to be >> manipulated >>> via the libsemanage interfaces by programs like semodule, >> semanage and >>> setsebool. libsemanage will ultimately support other >> backends beyond >>> just the current direct access to the local file store, >> such as access >>> to local and ultimately remote policy management daemons. >>> >>> However, I'm not sure that there is a good mechanism at >> present to do >>> what you want in a "legal" way (Joshua or Karl feel free to >> contradict >>> me if there is). If you do simply copy them over using >> your favorite >>> utility for doing so, you can run semodule -B on the target >> machine to >>> force a rebuild and reload of the kernel policy from the updated >>> policy store there. Not sure if that is exported through >> any GUI at present. >>> >> >> I think that this is needed functionality. Opened a bug - >> http://sourceforge.net/tracker/index.php?func=detail&aid=16061 > 03&group_id=21266&atid=121266. >> > > At some point in the near (hopefully) future we'll be putting the > network libsemanage backend into the library and after that a simple > daemon could be written to send policy and local changes across the > network. This would, ofcourse, be the predecessor to a full policy > server with access control on policy changes. > Call me old-fashioned, but it is nice to be able to send a colleague / customer / friend a text file that can be edited, diffed, reviewed, archived, and updated. Policy servers are convenient for one organization, but sometimes this transfer occurs across organization boundaries. (Not to mention the delay between this hoped-for tool and the actual, production-ready deployment schedule...) From jbrindle at tresys.com Thu Nov 30 15:44:24 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Thu, 30 Nov 2006 10:44:24 -0500 Subject: post direct-file-modification commands In-Reply-To: Message-ID: <6FE441CD9F0C0C479F2D88F959B015885C8099@exchange.columbia.tresys.com> > From: Steve Friedman [mailto:steve at adsi-m4.com] > > On Thu, 30 Nov 2006, Joshua Brindle wrote: > > >> From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > >> > >> Stephen Smalley wrote: > >>> On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote: > >>>> The various GUI tools are nice for getting a policy configured > >>>> correctly; however, to propagate this configuration to a > series of > >>>> like modified machines one runs into a speed bump. > >>>> > >>>> The files (e.g., booleans.local) state that the semanage command > >>>> should be used to modify the file; however, via the GUI I am > >>>> blissfully unaware of the actual commands (and would like > >> to remain so). > >>>> > >>>> But, it would seem that it should be perfectly legal to > >> propagate the > >>>> various ".local" files directly. If this is legal, what > commands > >>>> must be issued to cause selinux to read the various policy > >> updates? > >>>> If this isn't legal, then what means can be used to > >> propagate the policy? > >>> > >>> I don't think it is "legal" in the sense that those files are the > >>> private state of libsemanage and are only supposed to be > >> manipulated > >>> via the libsemanage interfaces by programs like semodule, > >> semanage and > >>> setsebool. libsemanage will ultimately support other > >> backends beyond > >>> just the current direct access to the local file store, > >> such as access > >>> to local and ultimately remote policy management daemons. > >>> > >>> However, I'm not sure that there is a good mechanism at > >> present to do > >>> what you want in a "legal" way (Joshua or Karl feel free to > >> contradict > >>> me if there is). If you do simply copy them over using > >> your favorite > >>> utility for doing so, you can run semodule -B on the target > >> machine to > >>> force a rebuild and reload of the kernel policy from the updated > >>> policy store there. Not sure if that is exported through > >> any GUI at present. > >>> > >> > >> I think that this is needed functionality. Opened a bug - > >> http://sourceforge.net/tracker/index.php?func=detail&aid=16061 > > 03&group_id=21266&atid=121266. > >> > > > > At some point in the near (hopefully) future we'll be putting the > > network libsemanage backend into the library and after that > a simple > > daemon could be written to send policy and local changes across the > > network. This would, ofcourse, be the predecessor to a full policy > > server with access control on policy changes. > > > > Call me old-fashioned, but it is nice to be able to send a > colleague / customer / friend a text file that can be edited, > diffed, reviewed, archived, and updated. Policy servers are > convenient for one organization, but sometimes this transfer > occurs across organization boundaries. (Not to mention the > delay between this hoped-for tool and the actual, > production-ready deployment schedule...) > That's fine, and the bug added is to export the data, but I am dubious about the usefulness of doing so. Policies probably aren't going to be compatible across organization boundaries in a meaninful way, systems and policies are specific to the organization. For example, why would you send the selinux user and linux user to selinux user mappings to another organization? From mantaray_1 at cox.net Thu Nov 30 16:15:48 2006 From: mantaray_1 at cox.net (Ken) Date: Thu, 30 Nov 2006 09:15:48 -0700 Subject: Firefox on strict policy In-Reply-To: <456B422B.1030206@redhat.com> References: <45671179.90005@cox.net> <456B422B.1030206@redhat.com> Message-ID: <456F03B4.1020302@cox.net> Thanks for the suggestion, but it was not labeling. It appears to have had something to do with mls, although I have not had the time to figure out exactly what. I changed all the mls levels to s0 and the problem went away. It sure would be nice if there were a feature to disable all "dontaudit" statements for policy debugging. -Ken- Daniel J Walsh wrote: > Ken wrote: >> I am attempting to get a strict policy working on my FC-6 system >> (version 2.4.3-2.fc6). I have successfully created a user account, >> and I can log both the root and the user account into the GUI. I am >> attempting to get Firefox to work and I am having difficulties. If I >> click on the Firefox icon, I see the program listed as opening, and >> it stays that way for a few seconds and then disappears. If I check >> the message log (var/log/messages), there are no messages (either avc >> or other) generated as a result of the attempt. This only happens >> when the policy is enforcing. When the policy is is not enforcing, >> Firefox loads properly -- also with no messages. I have noticed that >> Firefox is not writing to its .mozilla folder when the policy is >> enforcing, and that it does write to several files in this folder >> when it loads properly. This problem affects both my user account >> and the root account. Can someone please explain why I am not >> receiving any error messages (or any messages at all), and let me >> know what needs to be changed in order to load Firefox? >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > check /var/log/audit/audit.log for avc messages. > > I would guess you have a labeling problem on your home dir. > > restorecon -R -v ~/ > From jbrindle at tresys.com Thu Nov 30 16:19:05 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Thu, 30 Nov 2006 11:19:05 -0500 Subject: post direct-file-modification commands In-Reply-To: <456F02F6.3070704@mentalrootkit.com> Message-ID: <6FE441CD9F0C0C479F2D88F959B015885C80B6@exchange.columbia.tresys.com> > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] > > Joshua Brindle wrote: > >> From: Steve Friedman [mailto:steve at adsi-m4.com] > > > > >> Call me old-fashioned, but it is nice to be able to send a > colleague > >> / customer / friend a text file that can be edited, > diffed, reviewed, > >> archived, and updated. Policy servers are convenient for one > >> organization, but sometimes this transfer occurs across > organization > >> boundaries. (Not to mention the delay between this hoped-for tool > >> and the actual, production-ready deployment schedule...) > >> > > > > That's fine, and the bug added is to export the data, but I > am dubious > > about the usefulness of doing so. Policies probably aren't > going to be > > compatible across organization boundaries in a meaninful > way, systems > > and policies are specific to the organization. For example, > why would > > you send the selinux user and linux user to selinux user > mappings to > > another organization? > > > > You probably wouldn't send user mappings to other > organizations but booleans, file context, port labeling, etc. These should be directly dependant on the services being run and the local configuration, if two organizations are running services in an identical manner then sure but what about all the unrelated noise? (exporting all ports when really you are trying to configure policy for a single service). > are all probably fairly portable. Additioanlly, there are > other uses like backup, automatic system provisioning (e.g., > kickstart), or integration with existing administration > scripts and processes. > Agreed, the interface for this would likely be export all, something that is not useful for the above scenerio. > The policy server is a particular kind of solution for a > particular set of circumstances - no reason to not support > other solutions. Especially as they are likely - as Steve > points out - to be viable sooner. > That's fine, how do you suppose the exporting will work? What about policy modules? Should it be all or nothing or do you choose which parts you want to export? Clearly backup is a concern here, I didn't say it wasn't, but backup can be done very simply whereas some sort of portability of specific pieces is less trivial. From stefano at proinco.net Thu Nov 30 17:00:24 2006 From: stefano at proinco.net (stefano at proinco.net) Date: 30 Nov 2006 09:00:24 -0800 Subject: fedora-selinux-list Digest, Vol 33, Issue 28 Message-ID: <20061130170024.18092.qmail@su912267.aspadmin.net> esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco From mjs at ces.clemson.edu Thu Nov 30 17:14:11 2006 From: mjs at ces.clemson.edu (Matthew Saltzman) Date: Thu, 30 Nov 2006 12:14:11 -0500 (EST) Subject: cups-lpd In-Reply-To: <456DD293.50502@redhat.com> References: <456B3FC3.70603@redhat.com> <456DD293.50502@redhat.com> Message-ID: On Wed, 29 Nov 2006, Daniel J Walsh wrote: > Matthew Saltzman wrote: >> On Mon, 27 Nov 2006, Daniel J Walsh wrote: >> >>> Matthew Saltzman wrote: >>>> Am I supposed to have to disable SELinux protection for cups-lpd in order >>>> to use it? >>>> >>>> After installing and enabling cups-lpd, I can't print using it from a >>>> remote system. Disabling SELinux protection in >>>> system-config-securitylevel clears the problem. >>>> >>>> Nov 25 13:57:18 xxxxx kernel: audit(1164481038.379:173): avc: denied { >>>> read } for pid=11640 comm="cups-lpd" name="random" dev=tmpfs ino=2172 >>>> scontext=system_u:system_r:cupsd_lpd_t:s0 >>>> tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file >>>> >>>> >>> I would recommend that you add local policy to fix this. >>> >>> audit2allow -M local -i /var/log/audit/audit.log >> >> OK but would you consider it a cups-lpd packaging bug or a policy bug that >> this does not work out of the box? >> > No this is a bug in policy and will be fixed in selinux-policy-2.4.6-1 OK Thanks. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From steve at adsi-m4.com Thu Nov 30 19:05:50 2006 From: steve at adsi-m4.com (Steve Friedman) Date: Thu, 30 Nov 2006 14:05:50 -0500 (EST) Subject: post direct-file-modification commands In-Reply-To: <6FE441CD9F0C0C479F2D88F959B015885C80B6@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B015885C80B6@exchange.columbia.tresys.com> Message-ID: On Thu, 30 Nov 2006, Joshua Brindle wrote: >> From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] >> >> Joshua Brindle wrote: >>>> From: Steve Friedman [mailto:steve at adsi-m4.com] >> >> >> >>>> Call me old-fashioned, but it is nice to be able to send a colleague >>>> / customer / friend a text file that can be edited, diffed, reviewed, >>>> archived, and updated. Policy servers are convenient for one >>>> organization, but sometimes this transfer occurs across organization >>>> boundaries. (Not to mention the delay between this hoped-for tool >>>> and the actual, production-ready deployment schedule...) >>>> >>> >>> That's fine, and the bug added is to export the data, but I am dubious >>> about the usefulness of doing so. Policies probably aren't going to be >>> compatible across organization boundaries in a meaninful way, systems >>> and policies are specific to the organization. For example, why would >>> you send the selinux user and linux user to selinux user mappings to >>> another organization? >>> >> >> You probably wouldn't send user mappings to other >> organizations but booleans, file context, port labeling, etc. > > These should be directly dependant on the services being run and the > local configuration, if two organizations are running services in an > identical manner then sure but what about all the unrelated noise? > (exporting all ports when really you are trying to configure policy for > a single service). Well, I'll give you some hypothetical scenarios for cross-organization sharing (warning: I am just learning how to use selinux, so these might be trivial): - my brother-in-law writes me regarding a problem that he is having, so I send him my working config (or take it with me on a stick) so he can see how to configure his machine the same. - I (as I suspect many others) have an RPM for the various configuration files on my machine. I can use yum to ensure that the RPM stays current. So, I would like to distribute my selinux configuration (w/o affecting the distribution files that will be updated separately) in like manner. > >> are all probably fairly portable. Additioanlly, there are >> other uses like backup, automatic system provisioning (e.g., >> kickstart), or integration with existing administration >> scripts and processes. >> > > Agreed, the interface for this would likely be export all, something > that is not useful for the above scenerio. > >> The policy server is a particular kind of solution for a >> particular set of circumstances - no reason to not support >> other solutions. Especially as they are likely - as Steve >> points out - to be viable sooner. >> > > That's fine, how do you suppose the exporting will work? What about > policy modules? Should it be all or nothing or do you choose which parts > you want to export? Clearly backup is a concern here, I didn't say it > wasn't, but backup can be done very simply whereas some sort of > portability of specific pieces is less trivial. > Let me give an example. We use postfix at my organization. It has a number of configuration files. Using a makefile (an early version of which was copied from the web), the script (via make) issues the relevant commands to build the necessary hash files, etc. I would envision a similar situation here: I would distribute one or more ASCII configuration files for the local customization along with a makefile that would determine what commands needed to be issued to build the appropriate policy. In effect, I was asking for the details of the makefile. After updating (say) booleans.local, what needs to be executed, etc. From sds at tycho.nsa.gov Thu Nov 30 19:15:15 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 30 Nov 2006 14:15:15 -0500 Subject: post direct-file-modification commands In-Reply-To: References: <6FE441CD9F0C0C479F2D88F959B015885C80B6@exchange.columbia.tresys.com> Message-ID: <1164914115.23019.987.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-11-30 at 14:05 -0500, Steve Friedman wrote: > Let me give an example. We use postfix at my organization. It has a > number of configuration files. Using a makefile (an early version of > which was copied from the web), the script (via make) issues the relevant > commands to build the necessary hash files, etc. I would envision a > similar situation here: I would distribute one or more ASCII > configuration files for the local customization along with a makefile that > would determine what commands needed to be issued to build the appropriate > policy. > > In effect, I was asking for the details of the makefile. After updating > (say) booleans.local, what needs to be executed, etc. Yes, at present, it would be a matter of copying the new booleans.local into place and running semodule -B on the target machine. Going forward, we need utilities that can export/dump and import the data without requiring manual copying of the raw files. In the booleans case, that just means an option to getsebool to dump local booleans in a format easily consumed by setsebool (or some new option to setsebool); this requires finally migrating getsebool over to using libsemanage rather than directly reading the kernel state via selinuxfs (or at least supporting such an option as well). -- Stephen Smalley National Security Agency From steve at adsi-m4.com Thu Nov 30 19:32:44 2006 From: steve at adsi-m4.com (Steve Friedman) Date: Thu, 30 Nov 2006 14:32:44 -0500 (EST) Subject: post direct-file-modification commands In-Reply-To: <1164914115.23019.987.camel@moss-spartans.epoch.ncsc.mil> References: <6FE441CD9F0C0C479F2D88F959B015885C80B6@exchange.columbia.tresys.com> <1164914115.23019.987.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, 30 Nov 2006, Stephen Smalley wrote: > On Thu, 2006-11-30 at 14:05 -0500, Steve Friedman wrote: >> Let me give an example. We use postfix at my organization. It has a >> number of configuration files. Using a makefile (an early version of >> which was copied from the web), the script (via make) issues the relevant >> commands to build the necessary hash files, etc. I would envision a >> similar situation here: I would distribute one or more ASCII >> configuration files for the local customization along with a makefile that >> would determine what commands needed to be issued to build the appropriate >> policy. >> >> In effect, I was asking for the details of the makefile. After updating >> (say) booleans.local, what needs to be executed, etc. > > Yes, at present, it would be a matter of copying the new booleans.local > into place and running semodule -B on the target machine. Going > forward, we need utilities that can export/dump and import the data > without requiring manual copying of the raw files. In the booleans > case, that just means an option to getsebool to dump local booleans in a > format easily consumed by setsebool (or some new option to setsebool); > this requires finally migrating getsebool over to using libsemanage > rather than directly reading the kernel state via selinuxfs (or at least > supporting such an option as well). > Great. One last question, if I may: are there any other ".local" files besides booleans.local and file_contexts.local? This, plus Dan Walsh's blog post (http://danwalsh.livejournal.com/8637.html, for the archives), and I think that I am set. From Tomtefans at gmail.com Thu Nov 30 20:10:58 2006 From: Tomtefans at gmail.com (Jimmy) Date: Thu, 30 Nov 2006 21:10:58 +0100 Subject: Strict policy working? Message-ID: <456F3AD2.3020203@gmail.com> Does the strict policy work at all? Ive installed FC6 4 times on 2 different PCs, and after the default installation ive installed the strict policypackage and enabled it, relabeled the disk and rebooted it. X boots up, but i cant login. I get an error message, and looking deeper into it it says: "Xlib: connection to ":0.0" refused by server Xlib: no protocol specified xrdb: Can?t open display ':0' ... ..." When i switch off enforced (setenforce 0), it works fine. I have tried this with the latest policy and updates as well, and seriously starting to wonder if the policy really works "out of the box". The reason i want the strict policy is Fedoras own description of the strict policy: "Strict policy works best where you have a controlled userspace. For example, you can setup a security policy where your users are only allowed to use the Web browser to view files on the Internet and only allowed to download to certain directories. You could limit what applications the Web browser can launch to /helper/ applications." This is exactly what i want to do, i want to be able to boot up a FC6 on my Vmware machine, and start a firefox session and browse some stuff on the web in a secure way. Sooo... is the strict policy broken, or am i broken? ;) With best regards / Tomten -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Thu Nov 30 21:25:18 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 30 Nov 2006 16:25:18 -0500 Subject: Strict policy working? In-Reply-To: <456F3AD2.3020203@gmail.com> References: <456F3AD2.3020203@gmail.com> Message-ID: <1164921918.23019.994.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-11-30 at 21:10 +0100, Jimmy wrote: > Does the strict policy work at all? > Ive installed FC6 4 times on 2 different PCs, and after the default > installation ive installed the strict policypackage and enabled it, > relabeled the disk and rebooted it. > X boots up, but i cant login. I get an error message, and looking > deeper into it it says: > "Xlib: connection to ":0.0" refused by server > Xlib: no protocol specified > > xrdb: Can?t open display ':0' > ... > ..." > > When i switch off enforced (setenforce 0), it works fine. I have tried > this with the latest policy and updates as well, and seriously > starting to wonder if the policy really works "out of the box". > The reason i want the strict policy is Fedoras own description of the > strict policy: > > "Strict policy works best where you have a controlled userspace. For > example, you can setup a security policy where your users are only > allowed to use the Web browser to view files on the Internet and only > allowed to download to certain directories. You could limit what > applications the Web browser can launch to helper applications." > > This is exactly what i want to do, i want to be able to boot up a FC6 > on my Vmware machine, and start a firefox session and browse some > stuff on the web in a secure way. > Sooo... is the strict policy broken, or am i broken? ;) Strict policy almost always requires some customization, and since it is not the default, it has a much smaller user (and thus testing) base in Fedora. Have you looked at the avc: denied messages in your /var/log/messages file (before auditd starts) and in /var/log/audit/audit.log (once auditd starts) to see the specific denials? Have you tried using audit2allow(1)? Read the Fedora SELinux FAQ? http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Nov 30 21:43:32 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 30 Nov 2006 16:43:32 -0500 Subject: post direct-file-modification commands In-Reply-To: References: <6FE441CD9F0C0C479F2D88F959B015885C80B6@exchange.columbia.tresys.com> <1164914115.23019.987.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1164923012.23019.1004.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-11-30 at 14:32 -0500, Steve Friedman wrote: > On Thu, 30 Nov 2006, Stephen Smalley wrote: > > Yes, at present, it would be a matter of copying the new booleans.local > > into place and running semodule -B on the target machine. Going > > forward, we need utilities that can export/dump and import the data > > without requiring manual copying of the raw files. In the booleans > > case, that just means an option to getsebool to dump local booleans in a > > format easily consumed by setsebool (or some new option to setsebool); > > this requires finally migrating getsebool over to using libsemanage > > rather than directly reading the kernel state via selinuxfs (or at least > > supporting such an option as well). > > > > Great. One last question, if I may: are there any other ".local" files > besides booleans.local and file_contexts.local? This, plus Dan Walsh's > blog post (http://danwalsh.livejournal.com/8637.html, for the archives), > and I think that I am set. There can be, if local definitions are created via semanage by the admin, e.g. ports.local - local labeling of TCP or UDP ports interfaces.local - local labeling of network interfaces nodes.local - local labeling of hosts based on (netmask,address) users.local - local additions of SELinux users seusers - map Linux users to SELinux users Also, there can be local modules created by the admin, which could be named anything (*.pp) under the modules subdirectory; the names are just the module names. So local.pp would be common for people using audit2allow -M local as per the Fedora SELinux FAQ, but people may also be defining any number of more precisely named local modules to e.g. fix up issues they encounter with particular programs. Safest thing to do is to just rsync the entire policy tree and semodule -B it. -- Stephen Smalley National Security Agency