From paul at city-fan.org Sun Oct 1 09:26:36 2006 From: paul at city-fan.org (Paul Howarth) Date: Sun, 01 Oct 2006 10:26:36 +0100 Subject: Mounting the news spool In-Reply-To: <451DA960.5080804@3di.it> References: <451DA960.5080804@3di.it> Message-ID: <1159694806.14816.13.camel@metropolis.intra.city-fan.org> On Sat, 2006-09-30 at 01:16 +0200, Davide Bolcioni wrote: > Greetings, > while attempting to set up leafnode I > had a problem with mounting its spool, /var/spool/news: > > Sep 14 00:36:11 camelot kernel: audit(1158186712.955:375): avc: denied > { mounton } for pid=1353 comm="mount" name="news" dev=dm-3 ino=65600 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:news_spool_t:s0 tclass=dir > > Using audit2why and then audit2allow I was able to come up with the > following .te policy: > > module news 1.0; > > require { > class dir mounton; > type mount_t; > type news_spool_t; > role system_r; > }; > > allow mount_t news_spool_t:dir mounton; > > which to my untrained eye looked good. Researching the archives before > writing this, however, I came upon the answer for a similar problem: > > > https://www.redhat.com/archives/fedora-selinux-list/2006-August/msg00096.html > > and found out that it would probably have been enough to label the > mount point mnt_t (haven't tried it yet). Assuming it works, how should > I have found out about it ? I tried rpm -qd and found out about the > selinux-policy documentation, but nothing showed up for the targeted > policy. In this context, isn't audit2allow somewhat ... dangerous ? > > Or was it just a shortcoming in the leafnode RPM, so I should be looking > at what INN is doing instead ? This sort of problem only usually crops up when you add a mountpoint post-installation. It's not really something that can be anticipated by packagers of general applications like leafnode (in fact it's a problem for mount rather than a problem for leafnode). It might be useful for SELinux diagnostic tools to note that "mounton" problems are usually the result of a labelling problem rather than a policy problem though. Labelling the mountpoint as mnt_t should indeed fix this problem. Paul. From selinux at gmail.com Sun Oct 1 17:19:03 2006 From: selinux at gmail.com (Tom London) Date: Sun, 1 Oct 2006 10:19:03 -0700 Subject: prelink, still? Message-ID: <4c4ba1530610011019p176b2e8arbc3a3b47bb363d49@mail.gmail.com> Running latest rawhide, targeted/enforcing. Policy: selinux-policy-2.3.16-9 I'm still getting: type=AVC msg=audit(1159700653.385:150): avc: denied { execute } for pid=7605 comm="ld-linux.so.2" name="spamc" dev=dm-0 ino=5488531 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1159700653.385:150): arch=40000003 syscall=192 success=no exit=-13 a0=8048000 a1=7000 a2=5 a3=812 items=0 ppid=7526 pid=7605 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.4.90.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1159700653.385:150): path="/usr/bin/spamc" That expected? tom -- Tom London From smooge at gmail.com Sun Oct 1 19:21:38 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Sun, 1 Oct 2006 13:21:38 -0600 Subject: People running Postfix in FC5 not running Selinux? In-Reply-To: <80d7e4090609291708h1fe2a33cx68e67a67053b1cbc@mail.gmail.com> References: <80d7e4090609291708h1fe2a33cx68e67a67053b1cbc@mail.gmail.com> Message-ID: <80d7e4090610011221s454f1381w19b5e97b9714642f@mail.gmail.com> On 9/29/06, Stephen John Smoogen wrote: > I installed a system from the original FC5 disks and updated to latest > versions in yum repos. I changed over to postfix and found that it > wasnt working for some reason.. no errros to /var/log/messages or > /var/log/secure.. and I completely forgot for a day to look at audit. > That has to be the worst subject I could have come up with. Probably not enough sleep. ... > postfix was able to start email but could not do a mailq > doing a mailq showed me things like > > allow postfix_local_t initrc_var_run_t:file { read write }; > allow postfix_showq_t initrc_var_run_t:file { read write }; > > type=AVC msg=audit(1159574724.622:397): avc: denied { read write } > for pid=2621 comm="local" name="unix.local" dev=dm-3 ino=163870 > scontext=system_u:system_r:postfix_local_t:s0 > tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file > Was caused by: > Missing or disabled TE allow rule. > Allow rules may exist but be disabled by boolean > settings; check boolean settings. > You can see the necessary allow rules by running > audit2allow with this audit message as input. > > type=AVC msg=audit(1159574753.636:398): avc: denied { read write } > for pid=2625 comm="showq" name="unix.showq" dev=dm-3 ino=163871 > scontext=system_u:system_r:postfix_showq_t:s0 > tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file > Was caused by: > Missing or disabled TE allow rule. > Allow rules may exist but be disabled by boolean > settings; check boolean settings. > You can see the necessary allow rules by running > audit2allow with this audit message as input. > > > Not sure what I should do next. Turning off the selinux > selinux-policy-targeted-2.3.7-2.fc5 > selinux-policy-2.3.7-2.fc5 > -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From ruedarod at cse.psu.edu Sun Oct 1 19:51:36 2006 From: ruedarod at cse.psu.edu (Sandra Julieta Rueda Rodriguez) Date: Sun, 1 Oct 2006 15:51:36 -0400 (EDT) Subject: creating a new user In-Reply-To: <1159465470.13131.6.camel@moss-spartans.epoch.ncsc.mil> References: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> <1159372734.2260.1.camel@moss-spartans.epoch.ncsc.mil> <50286.130.203.65.72.1159408183.squirrel@130.203.65.72> <1159465470.13131.6.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <49382.66.71.92.111.1159732296.squirrel@66.71.92.111> Hi, >> >> I am trying to create a new user. I added it to the file local.users in >> the src directory and also to /etc/selinux/strict/users/local.users. I >> tried first to modify only the one in src but it did not work, so I also >> modified the other one. > > local.users is deprecated in FC5, and only looked at if SETLOCALDEFS=1 > in /etc/selinux/config. In FC5 and later, user manipulation is done via > semanage, and makes use of a separate mapping from Linux users to > SELinux user identities (the seusers mapping), so that one can > add/remove/modify Linux users without modifying kernel policy at all. > semanage login manipulates this mapping. semanage user can also be used > to manipulate SELinux user identities, but you generally shouldn't need > to do that - typically you would just have one SELinux user identity per > logical role, and then map Linux users to those SELinux user identities. That was my next question. I wanted to know if local.users did not work at all fro FC5. Now I have your answer. > > Um, you do know that FC5 policy is also based on refpolicy, right? And > that you should be doing a modular policy build even if you are building > from the upstream refpolicy, so that you can continue to use semodule > and semanage? yes, you were talking about it two weeks ago. But I did not know that there are things that do not work in the old way anymore. I was wondering if there is a place (a guide or a book) where I can find updated information. I am learning and it is kind of frustating to try to set up policies and then realize that the main problem is that one is working based on old instructions, and those are not always valid (although some of them are valid some times). When I look for info in internet most of the time I find instructions related to the old ways to work with selinux. Thank a lot, Sandra > > -- > Stephen Smalley > National Security Agency > > From phddas at yahoo.com Mon Oct 2 07:13:57 2006 From: phddas at yahoo.com (Fred J.) Date: Mon, 2 Oct 2006 00:13:57 -0700 (PDT) Subject: sellinux line command Message-ID: <20061002071357.3987.qmail@web54613.mail.yahoo.com> Hi while following the stops to install JRE as per http://stanton-finley.net/fedora_core_5_installation_notes.html the instruction which says: If you have not already done so go to "System" > "Administration" > "Security Level and Firewall". Enter your root password and click "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on "Compatibility" to open it and tick the check box next to "Allow the use of shared libraries with Text Relocation". Click "ok". Reboot your machine to implement the new SELinux policy. I don't have kde or gnome and neither of the following seams to match what the article is talking about. # system-config-securitylevel # system-config-securitylevel-tui --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2?/min or less. -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Mon Oct 2 07:43:38 2006 From: paul at city-fan.org (Paul Howarth) Date: Mon, 02 Oct 2006 08:43:38 +0100 Subject: sellinux line command In-Reply-To: <20061002071357.3987.qmail@web54613.mail.yahoo.com> References: <20061002071357.3987.qmail@web54613.mail.yahoo.com> Message-ID: <1159775018.14816.29.camel@metropolis.intra.city-fan.org> On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: > Hi > while following the stops to install JRE as per > http://stanton-finley.net/fedora_core_5_installation_notes.html > > > the instruction which says: > If you have not already done so go to "System" > "Administration" > > "Security Level and Firewall". Enter your root password and click > "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on > "Compatibility" to open it and tick the check box next to "Allow the > use of shared libraries with Text Relocation". Click "ok". Reboot your > machine to implement the new SELinux policy. > > I don't have kde or gnome and neither of the following seams to match > what the article is talking about. > # system-config-securitylevel > # system-config-securitylevel-tui This action sets the allow_execmod SELinux boolean. You could do that from the command line without using system-config-securitylevel as follows: # setsebool -P allow_execmod 1 There is no need to reboot after doing this. However, this is not the best way of solving the problem, as it relaxes security much more than necessary. A better way would be to set the SElinux context type of the java libraries to textrel_shlib_t, which would have the same effect but only for those particular libraries. Paul. From thethirddoorontheleft at verizon.net Mon Oct 2 08:07:39 2006 From: thethirddoorontheleft at verizon.net (Darwin H. Webb) Date: Mon, 02 Oct 2006 01:07:39 -0700 Subject: Prelink, still Message-ID: <4520C8CB.3020108@verizon.net> setroubleshhot program (server and gnome-gui) has this showing. restorecon -v /usr/bin/spamc to relablel it to spamc_t It has only shown on the tool list once for for 30th and 1st. From thethirddoorontheleft at verizon.net Mon Oct 2 08:12:52 2006 From: thethirddoorontheleft at verizon.net (Darwin H. Webb) Date: Mon, 02 Oct 2006 01:12:52 -0700 Subject: Squid what to access port 3008 Message-ID: <4520CA04.5010007@verizon.net> Squid is denied access to port 3008 (may be printer?) Is this a missing rule or a mis-label or is someone really trying to dump out adds on the printer? I run the squid as default conf. Darwin From sds at tycho.nsa.gov Mon Oct 2 13:03:13 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 02 Oct 2006 09:03:13 -0400 Subject: creating a new user In-Reply-To: <49382.66.71.92.111.1159732296.squirrel@66.71.92.111> References: <49576.130.203.65.72.1159371198.squirrel@130.203.65.72> <1159372734.2260.1.camel@moss-spartans.epoch.ncsc.mil> <50286.130.203.65.72.1159408183.squirrel@130.203.65.72> <1159465470.13131.6.camel@moss-spartans.epoch.ncsc.mil> <49382.66.71.92.111.1159732296.squirrel@66.71.92.111> Message-ID: <1159794193.6855.5.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2006-10-01 at 15:51 -0400, Sandra Julieta Rueda Rodriguez wrote: > I was wondering if there is a place (a guide or a book) where I can find > updated information. I am learning and it is kind of frustating to try to > set up policies and then realize that the main problem is that one is > working based on old instructions, and those are not always valid > (although some of them are valid some times). When I look for info in > internet most of the time I find instructions related to the old ways to > work with selinux. Of the available information resources ( http://selinux.sourceforge.net/resources.php3 ), the ones that are more likely to be current include: - The Fedora Core 5 SELinux FAQ: http://fedora.redhat.com/docs/selinux-faq-fc5/ - The Fedora Project wiki SELinux page: http://fedoraproject.org/wiki/SELinux/ - The recently published SELinux by Example book: http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1 -- Stephen Smalley National Security Agency From phddas at yahoo.com Mon Oct 2 17:43:16 2006 From: phddas at yahoo.com (Fred J.) Date: Mon, 2 Oct 2006 10:43:16 -0700 (PDT) Subject: sellinux line command In-Reply-To: <1159775018.14816.29.camel@metropolis.intra.city-fan.org> Message-ID: <20061002174316.71358.qmail@web54607.mail.yahoo.com> Paul Howarth wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: > Hi > while following the stops to install JRE as per > http://stanton-finley.net/fedora_core_5_installation_notes.html > > > the instruction which says: > If you have not already done so go to "System" > "Administration" > > "Security Level and Firewall". Enter your root password and click > "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on > "Compatibility" to open it and tick the check box next to "Allow the > use of shared libraries with Text Relocation". Click "ok". Reboot your > machine to implement the new SELinux policy. ... This action sets the allow_execmod SELinux boolean. You could do that from the command line without using system-config-securitylevel as follows: # setsebool -P allow_execmod 1 There is no need to reboot after doing this. However, this is not the best way of solving the problem, as it relaxes security much more than necessary. A better way would be to set the SElinux context type of the java libraries to textrel_shlib_t, which would have the same effect but only for those particular libraries. Paul. set the SElinux context type ... I don't understand, who is it done, could some one provide a link to the docs please. --------------------------------- How low will we go? Check out Yahoo! Messenger?s low PC-to-Phone call rates. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mra at hp.com Mon Oct 2 18:05:55 2006 From: mra at hp.com (Matt Anderson) Date: Mon, 02 Oct 2006 14:05:55 -0400 Subject: Squid what to access port 3008 In-Reply-To: <4520CA04.5010007@verizon.net> References: <4520CA04.5010007@verizon.net> Message-ID: <45215503.9040006@hp.com> Darwin H. Webb wrote: > Squid is denied access to port 3008 (may be printer?) > Is this a missing rule or a mis-label or is someone really trying to > dump out adds on the printer? > I run the squid as default conf. Printers tend to be ports 631 and port 9100 both tcp. Looking through my squid.conf I don't see anything port 3008 related, nor when I grep /etc/services. Are you seeing this at squid startup, or after it has been running for a while? Could this be squid attempting to proxy a client request? -matt From selinux at gmail.com Mon Oct 2 19:37:16 2006 From: selinux at gmail.com (Tom London) Date: Mon, 2 Oct 2006 12:37:16 -0700 Subject: AVC from Hibernate? Message-ID: <4c4ba1530610021237s4b0a7c8cp59529966ce7112f2@mail.gmail.com> Running today's rawhide, targeted/enforcing. I believe I got the following attempting to do a 'hibernate'. Does this make sense (e.g., grub trying to write stage2)? type=AVC msg=audit(1159816717.165:22): avc: denied { write } for pid=3422 comm="grub" name="stage2" dev=sda3 ino=10087 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:object_r:boot_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1159816717.165:22): arch=40000003 syscall=5 success=no exit=-13 a0=807b747 a1=2 a2=1b6 a3=8c8dc38 items=0 ppid=3405 pid=3422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="grub" exe="/sbin/grub" subj=system_u:system_r:bootloader_t:s0 key=(null) tom -- Tom London From dwalsh at redhat.com Mon Oct 2 20:10:33 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Oct 2006 16:10:33 -0400 Subject: MLS policy and the X server In-Reply-To: References: Message-ID: <45217239.7090902@redhat.com> Salvo Giuffrida wrote: > Is it "normal" that, with the MLS policy (FC5), the X server doesn't > work? Did anyone have problems with it? > Thanks The MLS policy is a server only policy. X-Windows is not supported. > > _________________________________________________________________ > Bolletta del telefono pesante? Risparmia con il nuovo Messenger > http://imagine-msn.com/messenger/launch80/?locale=it-it > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From bruno at wolff.to Mon Oct 2 21:37:16 2006 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 2 Oct 2006 16:37:16 -0500 Subject: sellinux line command In-Reply-To: <20061002174316.71358.qmail@web54607.mail.yahoo.com> References: <1159775018.14816.29.camel@metropolis.intra.city-fan.org> <20061002174316.71358.qmail@web54607.mail.yahoo.com> Message-ID: <20061002213716.GB3865@wolff.to> On Mon, Oct 02, 2006 at 10:43:16 -0700, "Fred J." wrote: > > set the SElinux context type ... > I don't understand, who is it done, could some one provide a link to the docs please. The command to change security context is chcon. There is a man page for it. If you have further interest in selinux, you might take a look at: http://fedoraproject.org/wiki/SELinux From phddas at yahoo.com Tue Oct 3 02:29:27 2006 From: phddas at yahoo.com (Fred J.) Date: Mon, 2 Oct 2006 19:29:27 -0700 (PDT) Subject: sellinux line command In-Reply-To: <1159775018.14816.29.camel@metropolis.intra.city-fan.org> Message-ID: <20061003022927.93721.qmail@web54606.mail.yahoo.com> Paul Howarth wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: > Hi > while following the stops to install JRE as per > http://stanton-finley.net/fedora_core_5_installation_notes.html > > > the instruction which says: > If you have not already done so go to "System" > "Administration" > > "Security Level and Firewall". Enter your root password and click > "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on > "Compatibility" to open it and tick the check box next to "Allow the > use of shared libraries with Text Relocation". Click "ok". Reboot your > machine to implement the new SELinux policy. > > I don't have kde or gnome and neither of the following seams to match > what the article is talking about. > # system-config-securitylevel > # system-config-securitylevel-tui This action sets the allow_execmod SELinux boolean. You could do that from the command line without using system-config-securitylevel as follows: # setsebool -P allow_execmod 1 There is no need to reboot after doing this. However, this is not the best way of solving the problem, as it relaxes security much more than necessary. A better way would be to set the SElinux context type of the java libraries to textrel_shlib_t, which would have the same effect but only for those particular libraries. Paul. does this mean that I should ignore the step in the instruction which talks about "Allow the use of shared libraries with Text Relocation". and go ahead with the rest of the steps as listed here http://stanton-finley.net/fedora_core_5_installation_notes.html under Java and then go back and set the SElinux context type of the java libraries to textrel_shlib_t. ? --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Tue Oct 3 08:54:38 2006 From: paul at city-fan.org (Paul Howarth) Date: Tue, 03 Oct 2006 09:54:38 +0100 Subject: sellinux line command In-Reply-To: <20061003022927.93721.qmail@web54606.mail.yahoo.com> References: <20061003022927.93721.qmail@web54606.mail.yahoo.com> Message-ID: <4522254E.70706@city-fan.org> Fred J. wrote: > > Paul Howarth wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >> Hi >> while following the stops to install JRE as per >> http://stanton-finley.net/fedora_core_5_installation_notes.html >> >> >> the instruction which says: >> If you have not already done so go to "System" > "Administration" > >> "Security Level and Firewall". Enter your root password and click >> "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on >> "Compatibility" to open it and tick the check box next to "Allow the >> use of shared libraries with Text Relocation". Click "ok". Reboot your >> machine to implement the new SELinux policy. >> >> I don't have kde or gnome and neither of the following seams to match >> what the article is talking about. >> # system-config-securitylevel >> # system-config-securitylevel-tui > > This action sets the allow_execmod SELinux boolean. You could do that > from the command line without using system-config-securitylevel as > follows: > > # setsebool -P allow_execmod 1 > > There is no need to reboot after doing this. > > However, this is not the best way of solving the problem, as it relaxes > security much more than necessary. A better way would be to set the > SElinux context type of the java libraries to textrel_shlib_t, which > would have the same effect but only for those particular libraries. > > Paul. > > does this mean that I should ignore the step in the instruction which talks about > "Allow the use of shared libraries with Text Relocation". > and go ahead with the rest of the steps as listed here > http://stanton-finley.net/fedora_core_5_installation_notes.html under Java and then go back and set the SElinux context type of the java libraries to textrel_shlib_t. ? Yes, you could do it that way. However, I think a better way, from both a system maintenance and SELinux point of view, would be to use the JPackage RPMs. You need to build these yourself due to the way Sun license Java, and this may appear at first to be a daunting prospect, but it's not difficult really. See: http://www.city-fan.org/tips/JpackageJava Installing Java using the JPackage RPMs will get all of the SELinux contexts set correctly "out of the box" and the software will be managed by RPM, just like all the other software on the system. It really is the best way IMHO. Paul. From dwalsh at redhat.com Tue Oct 3 11:49:34 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 03 Oct 2006 07:49:34 -0400 Subject: prelink, still? In-Reply-To: <4c4ba1530610011019p176b2e8arbc3a3b47bb363d49@mail.gmail.com> References: <4c4ba1530610011019p176b2e8arbc3a3b47bb363d49@mail.gmail.com> Message-ID: <45224E4E.3090001@redhat.com> Tom London wrote: > Running latest rawhide, targeted/enforcing. > > > Policy: selinux-policy-2.3.16-9 > > I'm still getting: > > type=AVC msg=audit(1159700653.385:150): avc: denied { execute } for > pid=7605 comm="ld-linux.so.2" name="spamc" dev=dm-0 ino=5488531 > scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file > type=SYSCALL msg=audit(1159700653.385:150): arch=40000003 syscall=192 > success=no exit=-13 a0=8048000 a1=7000 a2=5 a3=812 items=0 ppid=7526 > pid=7605 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.4.90.so" > subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) > type=AVC_PATH msg=audit(1159700653.385:150): path="/usr/bin/spamc" > > That expected? > > tom No, It should be fixed in todays update. From olivares14031 at yahoo.com Tue Oct 3 16:51:15 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 3 Oct 2006 09:51:15 -0700 (PDT) Subject: errors on fedora core 6-test3 updated as of 20061002 Message-ID: <20061003165115.87270.qmail@web52606.mail.yahoo.com> Dear all, I get the following message(s) when I do a dmesg. I lost connection to the network and I am looking for a solution. Here \are the avc's that I get SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts audit(1159868098.257:4): avc: denied { name_bind } for pid=1890 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket audit(1159868103.789:5): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1159868103.789:6): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1159868103.789:7): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1159868103.789:8): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1159868103.789:9): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir eth0: no IPv6 routers present audit(1159872008.506:10): avc: denied { getattr } for pid=2908 comm="sendmail" name="root" dev=dm-0 ino=9066497 scontext=system_u:system_r:system_mail_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir Thanks, Antonio From soxos at gmx.de Tue Oct 3 17:12:56 2006 From: soxos at gmx.de (Andreas Sachs) Date: Tue, 3 Oct 2006 19:12:56 +0200 Subject: How to build a local (unionfs) policy module for Fedora Core 5 (kernel 2.6.17)? Message-ID: <00d301c6e70f$2b9d69a0$0b01a8c0@mediacenterpc> Hello, I'm trying to build a local unionfs policy module for Fedora Core 5 (kernel 2.6.17). SElinux is set to enforcing and the policy type is targeted. After I mount a union, I get the following in my /var/log/messages Nov 6 13:34:41 localhost kernel: SELinux: initialized (dev unionfs, type unionfs), not configured for labeling I have written a local unionfs policy module: policy_module(unionfs, 1.0) require { type fs_t; }; fs_use_xattr unionfs system_u:object_r:fs_t; But I get a syntax error: Compiling targeted unionfs module /usr/bin/checkmodule: loading policy configuration from tmp/unionfs.tmp unionfs.te:8:ERROR 'syntax error' at token 'fs_use_xattr' on line 59102: fs_use_xattr unionfs system_u:object_r:fs_t; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/unionfs.mod] Fehler 1 How can I do it right? Thanks Andreas Sachs -------------- next part -------------- An HTML attachment was scrubbed... URL: From phddas at yahoo.com Tue Oct 3 17:59:03 2006 From: phddas at yahoo.com (Fred J.) Date: Tue, 3 Oct 2006 10:59:03 -0700 (PDT) Subject: sellinux line command In-Reply-To: <4522254E.70706@city-fan.org> Message-ID: <20061003175904.16324.qmail@web54614.mail.yahoo.com> Paul Howarth wrote: Fred J. wrote: > > Paul Howarth wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >> Hi >> while following the stops to install JRE as per >> http://stanton-finley.net/fedora_core_5_installation_notes.html >> >> >> the instruction which says: >> If you have not already done so go to "System" > "Administration" > >> "Security Level and Firewall". Enter your root password and click >> "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on >> "Compatibility" to open it and tick the check box next to "Allow the >> use of shared libraries with Text Relocation". Click "ok". Reboot your >> machine to implement the new SELinux policy. >> >> I don't have kde or gnome and neither of the following seams to match >> what the article is talking about. >> # system-config-securitylevel >> # system-config-securitylevel-tui > > This action sets the allow_execmod SELinux boolean. You could do that > from the command line without using system-config-securitylevel as > follows: > > # setsebool -P allow_execmod 1 > > There is no need to reboot after doing this. > > However, this is not the best way of solving the problem, as it relaxes > security much more than necessary. A better way would be to set the > SElinux context type of the java libraries to textrel_shlib_t, which > would have the same effect but only for those particular libraries. > > Paul. > > does this mean that I should ignore the step in the instruction which talks about > "Allow the use of shared libraries with Text Relocation". > and go ahead with the rest of the steps as listed here > http://stanton-finley.net/fedora_core_5_installation_notes.html under Java and then go back and set the SElinux context type of the java libraries to textrel_shlib_t. ? Yes, you could do it that way. However, I think a better way, from both a system maintenance and SELinux point of view, would be to use the JPackage RPMs. You need to build these yourself due to the way Sun license Java, and this may appear at first to be a daunting prospect, but it's not difficult really. See: http://www.city-fan.org/tips/JpackageJava Installing Java using the JPackage RPMs will get all of the SELinux contexts set correctly "out of the box" and the software will be managed by RPM, just like all the other software on the system. It really is the best way IMHO. Paul. Paul thanks alot after going through the link I now have it. [fred at localhost i586]$ java -version java version "1.5.0_09" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) Java HotSpot(TM) Client VM (build 1.5.0_09-b01, mixed mode, sharing) [fred at localhost i586]$ cd /usr/lib/mozilla/plugins/ [fred at localhost plugins]$ ls [fred at localhost plugins]$ ls -a . .. [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so . Password: [fred at localhost plugins]$ ls -l total 4 lrwxrwxrwx 1 root root 62 Oct 4 03:46 libjavaplugin_oji.so -> ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so however when I restart firefox, and go to a suitable page, it still asks to install a plugin JRE. --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From phddas at yahoo.com Tue Oct 3 18:39:02 2006 From: phddas at yahoo.com (Fred J.) Date: Tue, 3 Oct 2006 11:39:02 -0700 (PDT) Subject: sellinux line command In-Reply-To: <20061003175904.16324.qmail@web54614.mail.yahoo.com> Message-ID: <20061003183902.68213.qmail@web54601.mail.yahoo.com> "Fred J." wrote: Paul Howarth wrote: Fred J. wrote: > > Paul Howarth wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >> Hi >> while following the stops to install JRE as per ... Paul. Paul thanks alot after going through the link I now have it. [fred at localhost i586]$ java -version java version "1.5.0_09" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) Java HotSpot(TM) Client VM (build 1.5.0_09-b01, mixed mode, sharing) [fred at localhost i586]$ cd /usr/lib/mozilla/plugins/ [fred at localhost plugins]$ ls [fred at localhost plugins]$ ls -a . .. [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so . Password: [fred at localhost plugins]$ ls -l total 4 lrwxrwxrwx 1 root root 62 Oct 4 03:46 libjavaplugin_oji.so -> ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so however when I restart firefox, and go to a suitable page, it still asks to install a plugin JRE.I found the problem [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java-1. java-1.4.2-gcj-1.4.2.0/ java-1.5.0-sun-1.5.0.09/ it looks like I have to uninstall the jre 1.4.2 I embarked upon before. --------------------------------- Want to be your own boss? Learn how on Yahoo! Small Business. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Oct 3 20:33:34 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 03 Oct 2006 16:33:34 -0400 Subject: People running Postfix in FC5 not running Selinux? In-Reply-To: <80d7e4090610011221s454f1381w19b5e97b9714642f@mail.gmail.com> References: <80d7e4090609291708h1fe2a33cx68e67a67053b1cbc@mail.gmail.com> <80d7e4090610011221s454f1381w19b5e97b9714642f@mail.gmail.com> Message-ID: <4522C91E.5060306@redhat.com> Stephen John Smoogen wrote: > On 9/29/06, Stephen John Smoogen wrote: >> I installed a system from the original FC5 disks and updated to latest >> versions in yum repos. I changed over to postfix and found that it >> wasnt working for some reason.. no errros to /var/log/messages or >> /var/log/secure.. and I completely forgot for a day to look at audit. >> > > That has to be the worst subject I could have come up with. Probably > not enough sleep. > > ... >> postfix was able to start email but could not do a mailq >> doing a mailq showed me things like >> >> allow postfix_local_t initrc_var_run_t:file { read write }; >> allow postfix_showq_t initrc_var_run_t:file { read write }; >> >> type=AVC msg=audit(1159574724.622:397): avc: denied { read write } >> for pid=2621 comm="local" name="unix.local" dev=dm-3 ino=163870 >> scontext=system_u:system_r:postfix_local_t:s0 >> tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file >> Was caused by: >> Missing or disabled TE allow rule. >> Allow rules may exist but be disabled by boolean >> settings; check boolean settings. >> You can see the necessary allow rules by running >> audit2allow with this audit message as input. >> >> type=AVC msg=audit(1159574753.636:398): avc: denied { read write } >> for pid=2625 comm="showq" name="unix.showq" dev=dm-3 ino=163871 >> scontext=system_u:system_r:postfix_showq_t:s0 >> tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file >> Was caused by: >> Missing or disabled TE allow rule. >> Allow rules may exist but be disabled by boolean >> settings; check boolean settings. >> You can see the necessary allow rules by running >> audit2allow with this audit message as input. >> >> >> Not sure what I should do next. Turning off the selinux >> selinux-policy-targeted-2.3.7-2.fc5 >> selinux-policy-2.3.7-2.fc5 >> > This looks like a labeing problem. Which directory are unix.showq and unix.local in? Labeled initrc_var_run_t means they were created in an init script and SELinux policy is denying access to these files. From dwalsh at redhat.com Tue Oct 3 20:57:19 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 03 Oct 2006 16:57:19 -0400 Subject: Mounting the news spool In-Reply-To: <1159694806.14816.13.camel@metropolis.intra.city-fan.org> References: <451DA960.5080804@3di.it> <1159694806.14816.13.camel@metropolis.intra.city-fan.org> Message-ID: <4522CEAF.5040907@redhat.com> Paul Howarth wrote: > On Sat, 2006-09-30 at 01:16 +0200, Davide Bolcioni wrote: > >> Greetings, >> while attempting to set up leafnode I >> had a problem with mounting its spool, /var/spool/news: >> >> Sep 14 00:36:11 camelot kernel: audit(1158186712.955:375): avc: denied >> { mounton } for pid=1353 comm="mount" name="news" dev=dm-3 ino=65600 >> scontext=system_u:system_r:mount_t:s0 >> tcontext=system_u:object_r:news_spool_t:s0 tclass=dir >> >> Using audit2why and then audit2allow I was able to come up with the >> following .te policy: >> >> module news 1.0; >> >> require { >> class dir mounton; >> type mount_t; >> type news_spool_t; >> role system_r; >> }; >> >> allow mount_t news_spool_t:dir mounton; >> >> which to my untrained eye looked good. Researching the archives before >> writing this, however, I came upon the answer for a similar problem: >> >> >> https://www.redhat.com/archives/fedora-selinux-list/2006-August/msg00096.html >> >> and found out that it would probably have been enough to label the >> mount point mnt_t (haven't tried it yet). Assuming it works, how should >> I have found out about it ? I tried rpm -qd and found out about the >> selinux-policy documentation, but nothing showed up for the targeted >> policy. In this context, isn't audit2allow somewhat ... dangerous ? >> >> Or was it just a shortcoming in the leafnode RPM, so I should be looking >> at what INN is doing instead ? >> > > This sort of problem only usually crops up when you add a mountpoint > post-installation. It's not really something that can be anticipated by > packagers of general applications like leafnode (in fact it's a problem > for mount rather than a problem for leafnode). It might be useful for > SELinux diagnostic tools to note that "mounton" problems are usually the > result of a labelling problem rather than a policy problem though. > > There already is one. > Labelling the mountpoint as mnt_t should indeed fix this problem. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -------------- next part -------------- A non-text attachment was scrubbed... Name: mounton.py Type: text/x-python Size: 1931 bytes Desc: not available URL: From phddas at yahoo.com Wed Oct 4 05:11:15 2006 From: phddas at yahoo.com (Fred J.) Date: Tue, 3 Oct 2006 22:11:15 -0700 (PDT) Subject: sellinux line command In-Reply-To: <4522254E.70706@city-fan.org> Message-ID: <20061004051115.66122.qmail@web54613.mail.yahoo.com> Paul Howarth wrote: Fred J. wrote: > > Paul Howarth wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >> Hi >> ... Yes, you could do it that way. However, I think a better way, from both a system maintenance and SELinux point of view, would be to use the JPackage RPMs. You need to build these yourself due to the way Sun license Java, and this may appear at first to be a daunting prospect, but it's not difficult really. See: http://www.city-fan.org/tips/JpackageJava Installing Java using the JPackage RPMs will get all of the SELinux contexts set correctly "out of the box" and the software will be managed by RPM, just like all the other software on the system. It really is the best way IMHO. Paul. Paul, do you know of similar way to install adobe "pdf reader" plugin for firefox. thanks --------------------------------- Get your email and more, right on the new Yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Wed Oct 4 10:19:36 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 04 Oct 2006 11:19:36 +0100 Subject: sellinux line command In-Reply-To: <20061003183902.68213.qmail@web54601.mail.yahoo.com> References: <20061003183902.68213.qmail@web54601.mail.yahoo.com> Message-ID: <45238AB8.10206@city-fan.org> Fred J. wrote: > > "Fred J." wrote: > > Paul Howarth wrote: Fred J. wrote: >> Paul Howarth > wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >>> Hi >>> while following the stops to install JRE as per > ... > > Paul. > > Paul > thanks alot > after going through the link I now have it. > [fred at localhost i586]$ java -version > java version "1.5.0_09" > Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) > Java HotSpot(TM) Client VM (build 1.5.0_09-b01, mixed mode, sharing) > [fred at localhost i586]$ cd /usr/lib/mozilla/plugins/ > [fred at localhost plugins]$ ls > [fred at localhost plugins]$ ls -a > . .. > [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so . > Password: > [fred at localhost plugins]$ ls -l > total 4 > lrwxrwxrwx 1 root root 62 Oct 4 03:46 libjavaplugin_oji.so -> ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so > > however when I restart firefox, and go to a suitable page, it still asks to install a plugin JRE.I found the problem > [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java-1. > java-1.4.2-gcj-1.4.2.0/ java-1.5.0-sun-1.5.0.09/ > it looks like I have to uninstall the jre 1.4.2 I embarked upon before. ../../../lib/jvm/java should be a symlink to /etc/alternatives/java_sdk, which should be a symlink to /usr/lib/jvm/java-1.5.0-sun (set up using "alternatives"), which should be a symlink to java-1.5.0-sun-1.5.0.09. By following all of these symlinks, libjavaplugin_oji.so should point to /usr/lib/jvm/java-1.5.0-sun-1.5.0.09/jre/plugin/i386/ns7/libjavaplugin_oji.so. The java-1.4.2-gcj-1.4.2.0 directory is the gcj-based implementation that comes with Fedora. Stanton's instructions have java installed under /opt. Paul. From paul at city-fan.org Wed Oct 4 10:29:14 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 04 Oct 2006 11:29:14 +0100 Subject: Mounting the news spool In-Reply-To: <4522CEAF.5040907@redhat.com> References: <451DA960.5080804@3di.it> <1159694806.14816.13.camel@metropolis.intra.city-fan.org> <4522CEAF.5040907@redhat.com> Message-ID: <45238CFA.9090408@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> This sort of problem only usually crops up when you add a mountpoint >> post-installation. It's not really something that can be anticipated by >> packagers of general applications like leafnode (in fact it's a problem >> for mount rather than a problem for leafnode). It might be useful for >> SELinux diagnostic tools to note that "mounton" problems are usually the >> result of a labelling problem rather than a policy problem though. >> >> > There already is one. (setroubleshoot plugin snipped) Splendid. Looking forward to FC6, won't be long now :-) Paul. From paul at city-fan.org Wed Oct 4 13:28:47 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 04 Oct 2006 14:28:47 +0100 Subject: sellinux line command In-Reply-To: <20061004051115.66122.qmail@web54613.mail.yahoo.com> References: <20061004051115.66122.qmail@web54613.mail.yahoo.com> Message-ID: <4523B70F.2040607@city-fan.org> Fred J. wrote: > > Paul Howarth wrote: Fred J. wrote: >> Paul Howarth > wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >>> Hi >>> ... > Yes, you could do it that way. > > However, I think a better way, from both a system maintenance and > SELinux point of view, would be to use the JPackage RPMs. You need to > build these yourself due to the way Sun license Java, and this may > appear at first to be a daunting prospect, but it's not difficult > really. See: http://www.city-fan.org/tips/JpackageJava > > Installing Java using the JPackage RPMs will get all of the SELinux > contexts set correctly "out of the box" and the software will be managed > by RPM, just like all the other software on the system. It really is the > best way IMHO. > > Paul. > > Paul, do you know of similar way to install adobe "pdf reader" plugin for firefox. Try this: http://www.city-fan.org/tips/AdobeReaderOnFedora Note to Dan: The RPMforge mozilla-acroread package hardlinks the plugin nppdf.so into three different locations: /usr/lib/acroread/Browser/intellinux/nppdf.so /usr/lib/mozilla/plugins/nppdf.so /usr/lib/netscape/plugins/nppdf.so Only one of these is caught by the current context types, so it will end up labelled lib_t. I suggest the following addition to policy: /usr/lib/[^/]*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) Paul. From sds at tycho.nsa.gov Wed Oct 4 14:15:12 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 04 Oct 2006 10:15:12 -0400 Subject: How to build a local (unionfs) policy module for Fedora Core 5 (kernel 2.6.17)? In-Reply-To: <00d301c6e70f$2b9d69a0$0b01a8c0@mediacenterpc> References: <00d301c6e70f$2b9d69a0$0b01a8c0@mediacenterpc> Message-ID: <1159971312.19176.60.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-10-03 at 19:12 +0200, Andreas Sachs wrote: > Hello, > > > > I?m trying to build a local unionfs policy module for Fedora Core 5 > (kernel 2.6.17). SElinux is set to enforcing and the policy type is > targeted. > > > > After I mount a union, I get the following in my /var/log/messages > > Nov 6 13:34:41 localhost kernel: SELinux: initialized (dev unionfs, > type unionfs), not configured for labeling > > > > I have written a local unionfs policy module: > > policy_module(unionfs, 1.0) > > require { > > type fs_t; > > }; > > fs_use_xattr unionfs system_u:object_r:fs_t; > > > > But I get a syntax error: > > Compiling targeted unionfs module > > /usr/bin/checkmodule: loading policy configuration from > tmp/unionfs.tmp > > unionfs.te:8:ERROR 'syntax error' at token 'fs_use_xattr' on line > 59102: > > fs_use_xattr unionfs system_u:object_r:fs_t; > > /usr/bin/checkmodule: error(s) encountered while parsing > configuration > > make: *** [tmp/unionfs.mod] Fehler 1 > > > > How can I do it right? Policy modules (other than the base) only support a subset of the language, and fs_use_xattr is not supported in non-base module. Thus, your options (as previously stated) are: 1) Grab the policy .src.rpm or upstream sources, modify them, and rebuild, or 2) Use a context= mount to set a single fixed label on the entire mount. -- Stephen Smalley National Security Agency From phddas at yahoo.com Wed Oct 4 16:34:39 2006 From: phddas at yahoo.com (Fred J.) Date: Wed, 4 Oct 2006 09:34:39 -0700 (PDT) Subject: sellinux line command In-Reply-To: <45238AB8.10206@city-fan.org> Message-ID: <20061004163440.31822.qmail@web54601.mail.yahoo.com> Paul Howarth wrote: Fred J. wrote: > > "Fred J." wrote: > > Paul Howarth wrote: Fred J. wrote: >> Paul Howarth > wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >>> Hi >>> while following the stops to install JRE as per > ... > > Paul. > > Paul > thanks alot > after going through the link I now have it. > [fred at localhost i586]$ java -version > java version "1.5.0_09" > Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) > Java HotSpot(TM) Client VM (build 1.5.0_09-b01, mixed mode, sharing) > [fred at localhost i586]$ cd /usr/lib/mozilla/plugins/ > [fred at localhost plugins]$ ls > [fred at localhost plugins]$ ls -a > . .. > [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so . > Password: > [fred at localhost plugins]$ ls -l > total 4 > lrwxrwxrwx 1 root root 62 Oct 4 03:46 libjavaplugin_oji.so -> ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so > > however when I restart firefox, and go to a suitable page, it still asks to install a plugin JRE.I found the problem > [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java-1. > java-1.4.2-gcj-1.4.2.0/ java-1.5.0-sun-1.5.0.09/ > it looks like I have to uninstall the jre 1.4.2 I embarked upon before. ../../../lib/jvm/java should be a symlink to /etc/alternatives/java_sdk, which should be a symlink to /usr/lib/jvm/java-1.5.0-sun (set up using "alternatives"), which should be a symlink to java-1.5.0-sun-1.5.0.09. By following all of these symlinks, libjavaplugin_oji.so should point to /usr/lib/jvm/java-1.5.0-sun-1.5.0.09/jre/plugin/i386/ns7/libjavaplugin_oji.so. I don't have "../../../lib/jvm/java" ]$ cd /usr/lib/mozilla/plugins/ [fred at localhost plugins]$ ls -l ../../../lib/jvm jvm/ jvm-commmon/ jvm-exports/ jvm-private/ [fred at localhost plugins]$ ls -l ../../../lib/jvm/java-1. java-1.4.2-gcj-1.4.2.0/ java-1.5.0-sun-1.5.0.09/ as well as "/etc/alternatives/java_sdk" [fred at localhost ~]$ ls -l /etc/alternatives/java java java.1.gz javaws javaws.1.gz am I still ok? thank you __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Wed Oct 4 17:37:56 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 04 Oct 2006 18:37:56 +0100 Subject: sellinux line command In-Reply-To: <20061004163440.31822.qmail@web54601.mail.yahoo.com> References: <20061004163440.31822.qmail@web54601.mail.yahoo.com> Message-ID: <4523F174.4050306@city-fan.org> Fred J. wrote: > > Paul Howarth wrote: Fred J. wrote: >> "Fred J." > wrote: >> Paul Howarth > wrote: Fred J. wrote: >>> Paul Howarth >> wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >>>> Hi >>>> while following the stops to install JRE as per >> ... >> >> Paul. >> >> Paul >> thanks alot >> after going through the link I now have it. >> [fred at localhost i586]$ java -version >> java version "1.5.0_09" >> Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) >> Java HotSpot(TM) Client VM (build 1.5.0_09-b01, mixed mode, sharing) >> [fred at localhost i586]$ cd /usr/lib/mozilla/plugins/ >> [fred at localhost plugins]$ ls >> [fred at localhost plugins]$ ls -a >> . .. >> [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so . >> Password: >> [fred at localhost plugins]$ ls -l >> total 4 >> lrwxrwxrwx 1 root root 62 Oct 4 03:46 libjavaplugin_oji.so -> ../../../lib/jvm/java/jre/plugin/i386/ns7/libjavaplugin_oji.so >> >> however when I restart firefox, and go to a suitable page, it still asks to install a plugin JRE.I found the problem >> [fred at localhost plugins]$ sudo ln -s ../../../lib/jvm/java-1. >> java-1.4.2-gcj-1.4.2.0/ java-1.5.0-sun-1.5.0.09/ >> it looks like I have to uninstall the jre 1.4.2 I embarked upon before. > > ../../../lib/jvm/java should be a symlink to /etc/alternatives/java_sdk, > which should be a symlink to /usr/lib/jvm/java-1.5.0-sun (set up using > "alternatives"), which should be a symlink to java-1.5.0-sun-1.5.0.09. > > By following all of these symlinks, libjavaplugin_oji.so should point to > /usr/lib/jvm/java-1.5.0-sun-1.5.0.09/jre/plugin/i386/ns7/libjavaplugin_oji.so. > > > I don't have "../../../lib/jvm/java" > ]$ cd /usr/lib/mozilla/plugins/ > [fred at localhost plugins]$ ls -l ../../../lib/jvm > jvm/ jvm-commmon/ jvm-exports/ jvm-private/ > [fred at localhost plugins]$ ls -l ../../../lib/jvm/java-1. > java-1.4.2-gcj-1.4.2.0/ java-1.5.0-sun-1.5.0.09/ > > as well as "/etc/alternatives/java_sdk" > [fred at localhost ~]$ ls -l /etc/alternatives/java > java java.1.gz javaws javaws.1.gz > > > am I still ok? The key thing is that /usr/lib/mozilla/plugins/libjavaplugin_oji.so be a symlink that eventually ends up at the libjavaplugin_oji.so from the java-1.5.0-sun-plugin package. If that's the case, everything should work. Paul. From phddas at yahoo.com Wed Oct 4 18:36:12 2006 From: phddas at yahoo.com (Fred J.) Date: Wed, 4 Oct 2006 11:36:12 -0700 (PDT) Subject: sellinux line command In-Reply-To: <4523B70F.2040607@city-fan.org> Message-ID: <20061004183612.54257.qmail@web54613.mail.yahoo.com> Paul Howarth wrote: Fred J. wrote: > > Paul Howarth wrote: Fred J. wrote: >> Paul Howarth > wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >>> Hi >>> ... > Yes, you could do it that way. > > However, I think a better way, from both a system maintenance and > SELinux point of view, would be to use the JPackage RPMs. You need to > build these yourself due to the way Sun license Java, and this may > appear at first to be a daunting prospect, but it's not difficult > really. See: http://www.city-fan.org/tips/JpackageJava > > Installing Java using the JPackage RPMs will get all of the SELinux > contexts set correctly "out of the box" and the software will be managed > by RPM, just like all the other software on the system. It really is the > best way IMHO. > > Paul. > > Paul, do you know of similar way to install adobe "pdf reader" plugin for firefox. Try this: http://www.city-fan.org/tips/AdobeReaderOnFedora Note to Dan: The RPMforge mozilla-acroread package hardlinks the plugin nppdf.so into three different locations: /usr/lib/acroread/Browser/intellinux/nppdf.so /usr/lib/mozilla/plugins/nppdf.so /usr/lib/netscape/plugins/nppdf.so Only one of these is caught by the current context types, so it will end up labelled lib_t. I suggest the following addition to policy: /usr/lib/[^/]*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) Paul. thanks Paul do you have a link for macromedia as well, I search http://www.city-fan.org/ but could not come up with something. --------------------------------- Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business. -------------- next part -------------- An HTML attachment was scrubbed... URL: From phddas at yahoo.com Wed Oct 4 19:22:39 2006 From: phddas at yahoo.com (Fred J.) Date: Wed, 4 Oct 2006 12:22:39 -0700 (PDT) Subject: sellinux line command In-Reply-To: <4523B70F.2040607@city-fan.org> Message-ID: <20061004192239.45698.qmail@web54605.mail.yahoo.com> Paul Howarth wrote: Fred J. wrote: > > Paul Howarth wrote: Fred J. wrote: >> Paul Howarth > wrote: On Mon, 2006-10-02 at 00:13 -0700, Fred J. wrote: >>> Hi >>> ... > Yes, you could do it that way > .... > > Paul, do you know of similar way to install adobe "pdf reader" plugin for firefox. Try this: http://www.city-fan.org/tips/AdobeReaderOnFedora I used /www.city-fan.org/tips/AdobeReaderOnFedora and because my wget is broken, I downloaded the files with the browser and saved them in ~/rpmbuild/SOURCES/ [fred at localhost SOURCES]$ ls -1 acroread-7.0.8-1.rf.nosrc.rpm AdobeReader_enu-7.0.8-1.i386.tar.gz jdk-1_5_0_09-linux-i586.bin [localhost ~]$ rpmbuild --rebuild acroread-7.0.8-1.rf.nosrc.rpm gave a long output which ended with **************************************************************** ... Reader/intellinux/plug_ins/SOAP.api /bin/tar: Reader/intellinux/plug_ins/SOAP.api: Wrote only 4096 of 10240 bytes /bin/tar: Skipping to next header /bin/tar: Error exit delayed from previous errors error: Bad exit status from /var/tmp/rpm-tmp.59796 (%install) RPM build errors: InstallSourcePackage: Header V3 DSA signature: NOKEY, key ID 6b8d79e6 user dag does not exist - using root group dag does not exist - using root Bad exit status from /var/tmp/rpm-tmp.59796 (%install) **************************************************************** thank you --------------------------------- Get your email and more, right on the new Yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Wed Oct 4 19:22:49 2006 From: paul at city-fan.org (Paul Howarth) Date: Wed, 04 Oct 2006 20:22:49 +0100 Subject: sellinux line command In-Reply-To: <20061004183612.54257.qmail@web54613.mail.yahoo.com> References: <20061004183612.54257.qmail@web54613.mail.yahoo.com> Message-ID: <1159989769.31568.1.camel@metropolis.intra.city-fan.org> On Wed, 2006-10-04 at 11:36 -0700, Fred J. wrote: > do you have a link for macromedia as well, I search > http://www.city-fan.org/ but could not come up with something. I only wrote the Adobe Reader one today. Best I can suggest for flash is to try this: http://macromedia.mplug.org/faq.html#fedora I've no idea if it works, or how well it works. Paul. From gene at czarc.net Wed Oct 4 21:09:08 2006 From: gene at czarc.net (Gene Czarcinski) Date: Wed, 4 Oct 2006 17:09:08 -0400 Subject: FC6 SELinux issues Message-ID: <200610041709.08994.gene@czarc.net> I have been running FC6T3 plus updates and an even more recent install from FC6 development (selinux targeted and enforcing) and everything is looking very good. Since I follow the LSPP list and know that a lot of work has been done with the mls policy for RHEL 5 (and FC6), I thought I would give it a try. Before I spend time putting in bugzilla reports since it going to take time to gather the documentation, I am hoping some of this is known. This testing was done with clean installs on hardware and using vmware. 1. install selinux-policy-mls and switch to it using the system-config-security tool ... then reboot and do the relabeling (enforcing=0). Then reboot again (enforcing=1) ... oops, an almost immediate kernel panic! 2. OK, get the system back up in targeted mode. I then thought I would try strict ... install selinx-policy-strict ... then reboot and do the relabeling (enforcing=0). Ten reboot again (enforcing=1) ... better ... no kernel panic ... but not much better since some services fail starting and, when I logon as root, I cannot do anything. This is NOT GOOD!!! 3. While doing the above tests, I tried using the system-config-security gui tool to change the policy. I booted up with enforcing=0 and then tried the tool to change back to targeted. Since I run targeted with enforcing, I left the tool specification as enforcing. Unfortunately, the tool sets enforcing for the runtime system BEFORE it changes /etc/sysconfig/selinux file. Folks, this does not look ready for prime time as close as we are to final! While I do not expect everything to work, I do expect a bit more than what I got. From what I saw, this should be easily repeatable by developers. As I said, it is going to take me a bit of time to gather documentation for bugzilla reports. I hope that someone out there can give these policies a try to see if they can duplicate what I experienced. -- Gene Czarcinski From gene at czarc.net Wed Oct 4 22:27:44 2006 From: gene at czarc.net (Gene Czarcinski) Date: Wed, 4 Oct 2006 18:27:44 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610041709.08994.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> Message-ID: <200610041827.44823.gene@czarc.net> On Wednesday 04 October 2006 17:09, Gene Czarcinski wrote: > Before I spend time putting in bugzilla reports since it going to take time > to gather the documentation, I am hoping some of this is known. ?This > testing was done with clean installs on hardware and using vmware. > > 1. ?install selinux-policy-mls and switch to it using the > system-config-security tool ... then reboot and do the relabeling > (enforcing=0). ?Then reboot again (enforcing=1) ... oops, an almost > immediate kernel panic! > > 2. ?OK, get the system back up in targeted mode. ?I then thought I would > try strict ... install selinx-policy-strict ... then reboot and do the > relabeling (enforcing=0). ?Ten reboot again (enforcing=1) ... better ... no > kernel panic ... but not much better since some services fail starting and, > when I logon as root, I cannot do anything. Grumble, grumble. Naturally, what did not work at work now works (sort of) when I try to reproduce it at home. I do believe that there are some problems but I need to "better" reproduce them. I would still like to know if someone has installed something like fc6test3 and then installed and switched to the mls policy ... did it work? ... did it not work? Gene From joe at nall.com Wed Oct 4 22:37:49 2006 From: joe at nall.com (Joe Nall) Date: Wed, 4 Oct 2006 17:37:49 -0500 Subject: FC6 SELinux issues In-Reply-To: <200610041827.44823.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610041827.44823.gene@czarc.net> Message-ID: On Oct 4, 2006, at 5:27 PM, Gene Czarcinski wrote: > I would still like to know if someone has installed something like > fc6test3 > and then installed and switched to the mls policy ... did it > work? ... did it > not work? Yes in permissive mode. X and friends don't work in enforcing mode yet. I'm running fc6t2 fully updated, with Eric Paris's kernel and Dan Walsh's latest MLS policy on several machines. joe From gene at czarc.net Wed Oct 4 23:11:22 2006 From: gene at czarc.net (Gene Czarcinski) Date: Wed, 4 Oct 2006 19:11:22 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610041827.44823.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610041827.44823.gene@czarc.net> Message-ID: <200610041911.22792.gene@czarc.net> On Wednesday 04 October 2006 18:27, Gene Czarcinski wrote: > On Wednesday 04 October 2006 17:09, Gene Czarcinski wrote: > > Before I spend time putting in bugzilla reports since it going to take > > time to gather the documentation, I am hoping some of this is known. > > ?This testing was done with clean installs on hardware and using vmware. > > > > 1. ?install selinux-policy-mls and switch to it using the > > system-config-security tool ... then reboot and do the relabeling > > (enforcing=0). ?Then reboot again (enforcing=1) ... oops, an almost > > immediate kernel panic! > > > > 2. ?OK, get the system back up in targeted mode. ?I then thought I would > > try strict ... install selinx-policy-strict ... then reboot and do the > > relabeling (enforcing=0). ?Ten reboot again (enforcing=1) ... better ... > > no kernel panic ... but not much better since some services fail starting > > and, when I logon as root, I cannot do anything. > > Grumble, grumble. Naturally, what did not work at work now works (sort of) > when I try to reproduce it at home. I do believe that there are some > problems but I need to "better" reproduce them. > > I would still like to know if someone has installed something like fc6test3 > and then installed and switched to the mls policy ... did it work? ... did > it not work? Well, at least one of the problems (kernel panic) appears to be hardware related ... does not work on old dual P4 (Dell 350 workstation) but does work on AMD X2 4400+ processor system. There are still some services that are not working but that will take a lot more work to track down. Gene From andrew.suchoski at hp.com Wed Oct 4 23:36:55 2006 From: andrew.suchoski at hp.com (Andy Suchoski) Date: Wed, 04 Oct 2006 19:36:55 -0400 Subject: Problem with upgrading a file sensitivity level with mls policy Message-ID: <45244597.5000709@hp.com> Hello, I've been trying to get a simple piece of code to work to upgrade a file's sensitivity level. I wrote a simple policy to have the process run in a new domain and assigned mlsfileupgrade to the domain. I thought I did everything needed to make it work but apparently not. The program does work in permissive mode so this isn't a DAC problem. (The target file is owned by andy, modebits 644 and the process runs as EUID=andy.) The kernel is 2.6.17.2178_FC5 and I'm using the selinux-policy-mls-2.3.7-2.fc5 policy. Thanks. Following is the AVC, code, policy, and example output. ------------------------------------------------------------------------------------------------------ type=AVC msg=audit(1160002208.475:477): avc: denied { relabelfrom } for pid=5282 comm="setfsc1" name="foobar" dev=hda3 ino=817610 scontext=andy_u:user_r:andy_t:s0-s15:c0.c255 tcontext=user_u:object_r:user_t:s0 tclass=file ----------------------------------------------------------------------------------------------------------------------- #include #include #include main() { int retval; security_context_t secconstr,con; context_t seconstrct; char * newlabel; /* Get file context */ retval=getfilecon("/app/foobar", &secconstr); /* Print the context */ printf("Security context is %s\n", secconstr); /* Convert the security_context_t to a context_t */ seconstrct=context_new(secconstr); /* Assign new Sensitivity label */ retval=context_range_set(seconstrct,"s0:c5"); if (retval < 0) perror ("context_range_set"); secconstr=context_str(seconstrct); printf("NEW Security context is %s\n",secconstr); retval=setfilecon("/app/foobar",secconstr); if (retval < 0) perror ("setfilecon"); retval=getfilecon("/app/foobar", &con); if (retval < 0) perror ("getfilecon"); printf("Read NEW security context %s\n", con); } ------------------------------------------------------------------------------------------------------------------------- The policy: policy_module(localmisc, 0.1.12) require { type user_t; type user_tty_device_t; }; type andy_t; type andy_exec_t; domain_type(andy_t) mls_file_upgrade(andy_t) domain_entry_file(andy_t, andy_exec_t) domain_use_interactive_fds(andy_t) allow andy_t user_tty_device_t:chr_file { read write }; domain_auto_trans(user_t, andy_exec_t, andy_t) libs_use_ld_so(andy_t) libs_use_shared_libs(andy_t) role user_r types andy_t; allow andy_t user_t: file { read getattr relabelfrom relabelto }; allow andy_t user_t:process sigchld; --------------------------------------------------------------------------------------------------------------------- Output of the program: [andy at localhost examples]$ ./setfsc1 Security context is user_u:object_r:user_t:s0 NEW Security context is user_u:object_r:user_t:s0:c5 setfilecon: Permission denied Read NEW security context user_u:object_r:user_t:s0 [andy at localhost examples]$ ---------------------------------------------------------------------------------------------------------------------- From dwalsh at redhat.com Thu Oct 5 14:29:50 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 05 Oct 2006 10:29:50 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610041911.22792.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610041827.44823.gene@czarc.net> <200610041911.22792.gene@czarc.net> Message-ID: <452516DE.2060804@redhat.com> Gene Czarcinski wrote: > On Wednesday 04 October 2006 18:27, Gene Czarcinski wrote: > >> On Wednesday 04 October 2006 17:09, Gene Czarcinski wrote: >> >>> Before I spend time putting in bugzilla reports since it going to take >>> time to gather the documentation, I am hoping some of this is known. >>> This testing was done with clean installs on hardware and using vmware. >>> >>> 1. install selinux-policy-mls and switch to it using the >>> system-config-security tool ... then reboot and do the relabeling >>> (enforcing=0). Then reboot again (enforcing=1) ... oops, an almost >>> immediate kernel panic! >>> >>> 2. OK, get the system back up in targeted mode. I then thought I would >>> try strict ... install selinx-policy-strict ... then reboot and do the >>> relabeling (enforcing=0). Ten reboot again (enforcing=1) ... better ... >>> no kernel panic ... but not much better since some services fail starting >>> and, when I logon as root, I cannot do anything. >>> >> Grumble, grumble. Naturally, what did not work at work now works (sort of) >> when I try to reproduce it at home. I do believe that there are some >> problems but I need to "better" reproduce them. >> >> I would still like to know if someone has installed something like fc6test3 >> and then installed and switched to the mls policy ... did it work? ... did >> it not work? >> > > Well, at least one of the problems (kernel panic) appears to be hardware > related ... does not work on old dual P4 (Dell 350 workstation) but does work > on AMD X2 4400+ processor system. There are still some services that are not > working but that will take a lot more work to track down. > > Gene > MLS Policy is a server only policy. IE We don not support X-Windows. So if you want to change to MLS you need to remove all X-Windows software and relabel. Then it should work, but you need to understand how an MLS environment works. Strict policy is not heavily tested in Fedora. Most people run targeted. We will look at any problems that you have with it, though. There is not that much difference between strict and targeted policy at this point on the system space side and I want to work on adding Userspace confinement via targeted policy and booleans in the future. So people can begin to confine userspace if they so choose. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From andrew.suchoski at hp.com Thu Oct 5 16:32:45 2006 From: andrew.suchoski at hp.com (Suchoski, Andrew) Date: Thu, 5 Oct 2006 12:32:45 -0400 Subject: Problem with upgrading a file sensitivity level with mls policy References: <45244597.5000709@hp.com> Message-ID: Found my problem. I was concentrating on the domain - type access controls for relabelfrom/ relabelto and I forgot about the basic TE constrain that states constrain dir_file_class_set { create relabelto relabelfrom } ( u1 == u2 or t1 == can_change_object_identity ); audit2allow doesn't help very much with that. ________________________________ From: fedora-selinux-list-bounces at redhat.com on behalf of Suchoski, Andrew Sent: Wed 10/4/2006 7:36 PM To: fedora-selinux-list at redhat.com Subject: Problem with upgrading a file sensitivity level with mls policy Hello, I've been trying to get a simple piece of code to work to upgrade a file's sensitivity level. I wrote a simple policy to have the process run in a new domain and assigned mlsfileupgrade to the domain. I thought I did everything needed to make it work but apparently not. The program does work in permissive mode so this isn't a DAC problem. (The target file is owned by andy, modebits 644 and the process runs as EUID=andy.) The kernel is 2.6.17.2178_FC5 and I'm using the selinux-policy-mls-2.3.7-2.fc5 policy. Thanks. Following is the AVC, code, policy, and example output. ------------------------------------------------------------------------------------------------------ type=AVC msg=audit(1160002208.475:477): avc: denied { relabelfrom } for pid=5282 comm="setfsc1" name="foobar" dev=hda3 ino=817610 scontext=andy_u:user_r:andy_t:s0-s15:c0.c255 tcontext=user_u:object_r:user_t:s0 tclass=file ----------------------------------------------------------------------------------------------------------------------- #include #include #include main() { int retval; security_context_t secconstr,con; context_t seconstrct; char * newlabel; /* Get file context */ retval=getfilecon("/app/foobar", &secconstr); /* Print the context */ printf("Security context is %s\n", secconstr); /* Convert the security_context_t to a context_t */ seconstrct=context_new(secconstr); /* Assign new Sensitivity label */ retval=context_range_set(seconstrct,"s0:c5"); if (retval < 0) perror ("context_range_set"); secconstr=context_str(seconstrct); printf("NEW Security context is %s\n",secconstr); retval=setfilecon("/app/foobar",secconstr); if (retval < 0) perror ("setfilecon"); retval=getfilecon("/app/foobar", &con); if (retval < 0) perror ("getfilecon"); printf("Read NEW security context %s\n", con); } ------------------------------------------------------------------------------------------------------------------------- The policy: policy_module(localmisc, 0.1.12) require { type user_t; type user_tty_device_t; }; type andy_t; type andy_exec_t; domain_type(andy_t) mls_file_upgrade(andy_t) domain_entry_file(andy_t, andy_exec_t) domain_use_interactive_fds(andy_t) allow andy_t user_tty_device_t:chr_file { read write }; domain_auto_trans(user_t, andy_exec_t, andy_t) libs_use_ld_so(andy_t) libs_use_shared_libs(andy_t) role user_r types andy_t; allow andy_t user_t: file { read getattr relabelfrom relabelto }; allow andy_t user_t:process sigchld; --------------------------------------------------------------------------------------------------------------------- Output of the program: [andy at localhost examples]$ ./setfsc1 Security context is user_u:object_r:user_t:s0 NEW Security context is user_u:object_r:user_t:s0:c5 setfilecon: Permission denied Read NEW security context user_u:object_r:user_t:s0 [andy at localhost examples]$ ---------------------------------------------------------------------------------------------------------------------- -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Thu Oct 5 17:42:50 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 05 Oct 2006 13:42:50 -0400 Subject: Problem with upgrading a file sensitivity level with mls policy In-Reply-To: References: <45244597.5000709@hp.com> Message-ID: <1160070170.2132.113.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-10-05 at 12:32 -0400, Suchoski, Andrew wrote: > Found my problem. I was concentrating on the domain - type access controls for relabelfrom/ relabelto and I forgot about the basic TE constrain that states > > constrain dir_file_class_set { create relabelto relabelfrom } > ( u1 == u2 or t1 == can_change_object_identity ); > > audit2allow doesn't help very much with that. True. audit2why can at least diagnose whether it is constraint-related or TE-related. -- Stephen Smalley National Security Agency From gene at czarc.net Thu Oct 5 18:51:28 2006 From: gene at czarc.net (Gene Czarcinski) Date: Thu, 5 Oct 2006 14:51:28 -0400 Subject: FC6 SELinux issues In-Reply-To: <452516DE.2060804@redhat.com> References: <200610041709.08994.gene@czarc.net> <200610041911.22792.gene@czarc.net> <452516DE.2060804@redhat.com> Message-ID: <200610051451.28912.gene@czarc.net> On Thursday 05 October 2006 10:29, Daniel J Walsh wrote: > MLS Policy is a server only policy. ?IE We don not support X-Windows. ? > So if you want to change to MLS you need to remove all X-Windows > software and relabel. ?Then it should work, but you need to understand > how an MLS environment works. OK, I can understand that. However, the release notes (or some other release documentation) should point this out. Given this situation and vmware, I will create some server-only guests to try things out. > > Strict policy is not heavily tested in Fedora. ?Most people run > targeted. ?We will look at any problems that you have with it, though. Ditto on documentation. When I first tried SELinux in FC2, "strict" was it but everything more or less worked. At this point, I have no idea as to the kernel panic cause on the Dell 350 and may not be able to address that given other circumstances. However, I did notice that a number of services did have startup and/or shutdown problems ... this occurred on both strict and mls although at this point I do not know if they are the same services. > > There is not that much difference between strict and targeted policy at > this point on the system space side and I want to work on adding > Userspace confinement via targeted policy and booleans in the future. ? > So people can begin to confine userspace if they so choose. Given the same services, some do not work properly under strict but function just fine under targeted. -- Gene From dwalsh at redhat.com Thu Oct 5 19:28:04 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 05 Oct 2006 15:28:04 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610051451.28912.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610041911.22792.gene@czarc.net> <452516DE.2060804@redhat.com> <200610051451.28912.gene@czarc.net> Message-ID: <45255CC4.4050005@redhat.com> Gene Czarcinski wrote: > On Thursday 05 October 2006 10:29, Daniel J Walsh wrote: > >> MLS Policy is a server only policy. IE We don not support X-Windows. >> So if you want to change to MLS you need to remove all X-Windows >> software and relabel. Then it should work, but you need to understand >> how an MLS environment works. >> > > OK, I can understand that. However, the release notes (or some other release > documentation) should point this out. Given this situation and vmware, I > will create some server-only guests to try things out. > > >> Strict policy is not heavily tested in Fedora. Most people run >> targeted. We will look at any problems that you have with it, though. >> > > Ditto on documentation. When I first tried SELinux in FC2, "strict" was it > but everything more or less worked. > > A lot has changed since FC2 :^) > At this point, I have no idea as to the kernel panic cause on the Dell 350 and > may not be able to address that given other circumstances. However, I did > notice that a number of services did have startup and/or shutdown > problems ... this occurred on both strict and mls although at this point I do > not know if they are the same services. > > >> There is not that much difference between strict and targeted policy at >> this point on the system space side and I want to work on adding >> Userspace confinement via targeted policy and booleans in the future. >> So people can begin to confine userspace if they so choose. >> > > Given the same services, some do not work properly under strict but function > just fine under targeted. > Please get avc messages for any case where this happens. From gene at czarc.net Thu Oct 5 19:44:07 2006 From: gene at czarc.net (Gene Czarcinski) Date: Thu, 5 Oct 2006 15:44:07 -0400 Subject: FC6 SELinux issues In-Reply-To: <45255CC4.4050005@redhat.com> References: <200610041709.08994.gene@czarc.net> <200610051451.28912.gene@czarc.net> <45255CC4.4050005@redhat.com> Message-ID: <200610051544.07095.gene@czarc.net> On Thursday 05 October 2006 15:28, Daniel J Walsh wrote: > > Given the same services, some do not work properly under strict but > > function just fine under targeted. > > ? > > Please get avc messages for any case where this happens. Will do. As soon as I set up things so I can get good documentation, I will bugzilla a report ... do you want one report for all of the avc messages or a separate report for each. I am assuming you want bugzilla reports but I can also just send you the errors I find. Your call. -- Gene From dwalsh at redhat.com Thu Oct 5 19:51:31 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 05 Oct 2006 15:51:31 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610051544.07095.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610051451.28912.gene@czarc.net> <45255CC4.4050005@redhat.com> <200610051544.07095.gene@czarc.net> Message-ID: <45256243.3040005@redhat.com> Gene Czarcinski wrote: > On Thursday 05 October 2006 15:28, Daniel J Walsh wrote: > >>> Given the same services, some do not work properly under strict but >>> function just fine under targeted. >>> >>> >> Please get avc messages for any case where this happens. >> > > Will do. As soon as I set up things so I can get good documentation, I will > bugzilla a report ... do you want one report for all of the avc messages or a > separate report for each. > > One per daemon is easier to handle, but either way is fine. > I am assuming you want bugzilla reports but I can also just send you the > errors I find. Your call. > Bugzillas do not get lost, emails do. :^( From pierre.juhen at wanadoo.fr Thu Oct 5 20:42:06 2006 From: pierre.juhen at wanadoo.fr (Pierre JUHEN) Date: Thu, 05 Oct 2006 22:42:06 +0200 Subject: Trouble with module Message-ID: <45256E1E.6010008@pierre.juhen> To correct error messages appearing in the audit.log, I ran the procedure described in the audit2allow manual page. Here is the .te file : module local 1.0; require { class dir search; class fd use; class fifo_file write; class file { read write }; class netlink_route_socket create; class unix_stream_socket { read write }; type apmd_log_t; type cupsd_config_t; type cupsd_t; type dovecot_auth_t; type dovecot_t; type etc_mail_t; type etc_runtime_t; type hald_t; type home_root_t; type hostname_t; type restorecon_t; type semanage_t; type unconfined_t; type user_home_dir_t; type usr_t; type xdm_t; role system_r; }; allow cupsd_config_t apmd_log_t:file { read write }; allow cupsd_t apmd_log_t:file { read write }; allow dovecot_auth_t self:netlink_route_socket create; allow dovecot_t etc_runtime_t:file read; allow dovecot_t unconfined_t:fifo_file write; allow dovecot_t xdm_t:fd use; allow hald_t home_root_t:dir search; allow hostname_t etc_mail_t:file read; allow hostname_t unconfined_t:fifo_file write; allow hostname_t usr_t:file read; allow hostname_t xdm_t:fd use; allow restorecon_t xdm_t:fd use; allow semanage_t unconfined_t:unix_stream_socket { read write }; allow semanage_t user_home_dir_t:dir search; When I try to load the module using "semodule -i local.pp" Iget : libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file/etc/ selinux/targeted/modules/tmp/modules/toto.mod. "/etc/ selinux/targeted/modules/tmp" does not exist. Module local is in "/etc/selinux/targeted/modules/active/modules". I run a Fedora Core 5 x86_64, strictly up to date (policy: targeted) (kernel-2.6.17-1.2187_FC5). policycoreutils-1.30.10-2.fc5 Thanks fot the hints. From method at gentoo.org Fri Oct 6 02:28:35 2006 From: method at gentoo.org (Joshua Brindle) Date: Thu, 05 Oct 2006 22:28:35 -0400 Subject: Trouble with module In-Reply-To: <45256E1E.6010008@pierre.juhen> References: <45256E1E.6010008@pierre.juhen> Message-ID: <4525BF53.4000907@gentoo.org> Pierre JUHEN wrote: > To correct error messages appearing in the audit.log, I ran the > procedure described in the audit2allow manual page. > > Here is the .te file : > > module local 1.0; > > require { > class dir search; > class fd use; > class fifo_file write; > class file { read write }; > class netlink_route_socket create; > class unix_stream_socket { read write }; > type apmd_log_t; > type cupsd_config_t; > type cupsd_t; > type dovecot_auth_t; > type dovecot_t; > type etc_mail_t; > type etc_runtime_t; > type hald_t; > type home_root_t; > type hostname_t; > type restorecon_t; > type semanage_t; > type unconfined_t; > type user_home_dir_t; > type usr_t; > type xdm_t; > role system_r; > }; > > allow cupsd_config_t apmd_log_t:file { read write }; > allow cupsd_t apmd_log_t:file { read write }; > allow dovecot_auth_t self:netlink_route_socket create; > allow dovecot_t etc_runtime_t:file read; > allow dovecot_t unconfined_t:fifo_file write; > allow dovecot_t xdm_t:fd use; > allow hald_t home_root_t:dir search; > allow hostname_t etc_mail_t:file read; > allow hostname_t unconfined_t:fifo_file write; > allow hostname_t usr_t:file read; > allow hostname_t xdm_t:fd use; > allow restorecon_t xdm_t:fd use; > allow semanage_t unconfined_t:unix_stream_socket { read write }; > allow semanage_t user_home_dir_t:dir search; > > When I try to load the module using "semodule -i local.pp" > > Iget : > > libsepol.module_package_read_offsets: wrong magic number for module > package: expected 4185718671, got 4185718669 > libsemanage.semanage_load_module: Error while reading from module > file/etc/ selinux/targeted/modules/tmp/modules/toto.mod. > did you build a policy package correctly using the following commands: checkmodule -M -m local.te -o local.mod semodule_package -m local.mod -o local.pp semodule -i local.pp it looks like you probably skipped the middle step.. From pierre.juhen at wanadoo.fr Fri Oct 6 07:11:49 2006 From: pierre.juhen at wanadoo.fr (Pierre JUHEN) Date: Fri, 6 Oct 2006 09:11:49 +0200 (CEST) Subject: Trouble with module Message-ID: <4822015.335571160118709458.JavaMail.www@wwinf1506> No, I didn't skip the middle step. I have turned around this problem for days, googleized a lot, I didnt find a clue. Why is semodule looking in a inexistant directory ? I suspect a configuration problem, but where ????? > Message du 06/10/06 04:28 > De : "Joshua Brindle" > A : "Pierre JUHEN" > Copie ? : fedora-selinux-list at redhat.com > Objet : Re: Trouble with module > > Pierre JUHEN wrote: > > To correct error messages appearing in the audit.log, I ran the > > procedure described in the audit2allow manual page. > > > > Here is the .te file : > > > > module local 1.0; > > > > require { > > class dir search; > > class fd use; > > class fifo_file write; > > class file { read write }; > > class netlink_route_socket create; > > class unix_stream_socket { read write }; > > type apmd_log_t; > > type cupsd_config_t; > > type cupsd_t; > > type dovecot_auth_t; > > type dovecot_t; > > type etc_mail_t; > > type etc_runtime_t; > > type hald_t; > > type home_root_t; > > type hostname_t; > > type restorecon_t; > > type semanage_t; > > type unconfined_t; > > type user_home_dir_t; > > type usr_t; > > type xdm_t; > > role system_r; > > }; > > > > allow cupsd_config_t apmd_log_t:file { read write }; > > allow cupsd_t apmd_log_t:file { read write }; > > allow dovecot_auth_t self:netlink_route_socket create; > > allow dovecot_t etc_runtime_t:file read; > > allow dovecot_t unconfined_t:fifo_file write; > > allow dovecot_t xdm_t:fd use; > > allow hald_t home_root_t:dir search; > > allow hostname_t etc_mail_t:file read; > > allow hostname_t unconfined_t:fifo_file write; > > allow hostname_t usr_t:file read; > > allow hostname_t xdm_t:fd use; > > allow restorecon_t xdm_t:fd use; > > allow semanage_t unconfined_t:unix_stream_socket { read write }; > > allow semanage_t user_home_dir_t:dir search; > > > > When I try to load the module using "semodule -i local.pp" > > > > Iget : > > > > libsepol.module_package_read_offsets: wrong magic number for module > > package: expected 4185718671, got 4185718669 > > libsemanage.semanage_load_module: Error while reading from module > > file/etc/ selinux/targeted/modules/tmp/modules/toto.mod. > > > did you build a policy package correctly using the following commands: > > checkmodule -M -m local.te -o local.mod > semodule_package -m local.mod -o local.pp > semodule -i local.pp > > > it looks like you probably skipped the middle step.. > > From jbrindle at tresys.com Fri Oct 6 12:03:04 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Fri, 06 Oct 2006 08:03:04 -0400 Subject: Trouble with module In-Reply-To: <4822015.335571160118709458.JavaMail.www@wwinf1506> References: <4822015.335571160118709458.JavaMail.www@wwinf1506> Message-ID: <452645F8.6070103@tresys.com> Pierre JUHEN wrote: > No, I didn't skip the middle step. > > I have turned around this problem for days, googleized a lot, > I didnt find a clue. > > Why is semodule looking in a inexistant directory ? > > the directory is there when the operation fails. semodule copies everything from modules/active to modules/tmp to operate on it and when it reads that file (toto.mod) it fails because it is a policy module and not a policy package. try semodule -r toto though I don't know how that file got there in the first place, semodule should have never accepted it > I suspect a configuration problem, but where ????? > > >> Message du 06/10/06 04:28 >> De : "Joshua Brindle" >> A : "Pierre JUHEN" >> Copie ? : fedora-selinux-list at redhat.com >> Objet : Re: Trouble with module >> >> Pierre JUHEN wrote: >> >>> To correct error messages appearing in the audit.log, I ran the >>> procedure described in the audit2allow manual page. >>> >>> Here is the .te file : >>> >>> module local 1.0; >>> >>> require { >>> class dir search; >>> class fd use; >>> class fifo_file write; >>> class file { read write }; >>> class netlink_route_socket create; >>> class unix_stream_socket { read write }; >>> type apmd_log_t; >>> type cupsd_config_t; >>> type cupsd_t; >>> type dovecot_auth_t; >>> type dovecot_t; >>> type etc_mail_t; >>> type etc_runtime_t; >>> type hald_t; >>> type home_root_t; >>> type hostname_t; >>> type restorecon_t; >>> type semanage_t; >>> type unconfined_t; >>> type user_home_dir_t; >>> type usr_t; >>> type xdm_t; >>> role system_r; >>> }; >>> >>> allow cupsd_config_t apmd_log_t:file { read write }; >>> allow cupsd_t apmd_log_t:file { read write }; >>> allow dovecot_auth_t self:netlink_route_socket create; >>> allow dovecot_t etc_runtime_t:file read; >>> allow dovecot_t unconfined_t:fifo_file write; >>> allow dovecot_t xdm_t:fd use; >>> allow hald_t home_root_t:dir search; >>> allow hostname_t etc_mail_t:file read; >>> allow hostname_t unconfined_t:fifo_file write; >>> allow hostname_t usr_t:file read; >>> allow hostname_t xdm_t:fd use; >>> allow restorecon_t xdm_t:fd use; >>> allow semanage_t unconfined_t:unix_stream_socket { read write }; >>> allow semanage_t user_home_dir_t:dir search; >>> >>> When I try to load the module using "semodule -i local.pp" >>> >>> Iget : >>> >>> libsepol.module_package_read_offsets: wrong magic number for module >>> package: expected 4185718671, got 4185718669 >>> libsemanage.semanage_load_module: Error while reading from module >>> file/etc/ selinux/targeted/modules/tmp/modules/toto.mod. >>> >>> >> did you build a policy package correctly using the following commands: >> >> checkmodule -M -m local.te -o local.mod >> semodule_package -m local.mod -o local.pp >> semodule -i local.pp >> >> >> it looks like you probably skipped the middle step.. >> >> From ynakam at gwu.edu Fri Oct 6 14:09:50 2006 From: ynakam at gwu.edu (Yuichi Nakamura) Date: Fri, 06 Oct 2006 23:09:50 +0900 Subject: No type=PATH record in FC6 audit? Message-ID: Hi, I am playing with FC6-test3. I installed audit, and found that type=PATH record does not appear in audit.log, when access is denied by SELinux. Will type=PATH record disappear in FC6? Yuichi Nakamura From sds at tycho.nsa.gov Fri Oct 6 14:29:55 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 06 Oct 2006 10:29:55 -0400 Subject: No type=PATH record in FC6 audit? In-Reply-To: References: Message-ID: <1160144995.12253.63.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-10-06 at 23:09 +0900, Yuichi Nakamura wrote: > Hi, > > I am playing with FC6-test3. > I installed audit, > and found that type=PATH record does not appear in audit.log, > when access is denied by SELinux. > > Will type=PATH record disappear in FC6? If you define any audit rules via auditctl (or put them into /etc/audit/audit.rules for loading upon startup), then you should see them again. There is an optimization in the audit system to disable collection of audit data like paths if there are no audit rules to avoid the overhead associated with such collection. This means you need at least one audit rule defined to get that information. -- Stephen Smalley National Security Agency From linux_4ever at yahoo.com Fri Oct 6 16:12:49 2006 From: linux_4ever at yahoo.com (Steve G) Date: Fri, 6 Oct 2006 09:12:49 -0700 (PDT) Subject: No type=PATH record in FC6 audit? In-Reply-To: Message-ID: <20061006161249.98641.qmail@web51503.mail.yahoo.com> >Will type=PATH record disappear in FC6? It is there, however we loose that record unless you have audit rules loaded. This was part of some performance optimizations of the audit system so that it can be on all the time for setroubleshootd. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From thethirddoorontheleft at verizon.net Fri Oct 6 17:08:25 2006 From: thethirddoorontheleft at verizon.net (Darwin H. Webb) Date: Fri, 06 Oct 2006 10:08:25 -0700 Subject: This list can not be viewed by Foxfire 3.0a1. Message-ID: <45268D89.5010803@verizon.net> Please fix this list so Fx-3.0a1 can read it. The other lists work fine with Fx-3.0a1. thank you, Darwin From pierre.juhen at wanadoo.fr Fri Oct 6 18:55:51 2006 From: pierre.juhen at wanadoo.fr (Pierre JUHEN) Date: Fri, 06 Oct 2006 20:55:51 +0200 Subject: Trouble with module In-Reply-To: <452645F8.6070103@tresys.com> References: <4822015.335571160118709458.JavaMail.www@wwinf1506> <452645F8.6070103@tresys.com> Message-ID: <4526A6B7.8090400@pierre.juhen> I did semodule -r toto : libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/toto.mod. semodule: Failed! semodule -r local libsemanage.semanage_direct_remove: Module local was not found. semodule: Failed on local! [root at pierre ~]# ls -lZ /etc/selinux/targeted/modules/active/modules -rw-r--r-- root root root:object_r:semanage_store_t toto.mod -rw-r--r-- root root root:object_r:semanage_store_t toto.pp -rw-r--r-- root root system_u:object_r:semanage_store_t toto.te I don't understand. Thank you for your help. Joshua Brindle a ?crit : > Pierre JUHEN wrote: >> No, I didn't skip the middle step. >> >> I have turned around this problem for days, googleized a lot, >> I didnt find a clue. >> >> Why is semodule looking in a inexistant directory ? >> >> > the directory is there when the operation fails. semodule copies > everything from modules/active to modules/tmp to operate on it and > when it reads that file (toto.mod) it fails because it is a policy > module and not a policy package. > > try semodule -r toto > > though I don't know how that file got there in the first place, > semodule should have never accepted it >> I suspect a configuration problem, but where ????? >> >> >>> Message du 06/10/06 04:28 >>> De : "Joshua Brindle" >>> A : "Pierre JUHEN" >>> Copie ? : fedora-selinux-list at redhat.com >>> Objet : Re: Trouble with module >>> >>> Pierre JUHEN wrote: >>> >>>> To correct error messages appearing in the audit.log, I ran the >>>> procedure described in the audit2allow manual page. >>>> >>>> Here is the .te file : >>>> >>>> module local 1.0; >>>> >>>> require { >>>> class dir search; >>>> class fd use; >>>> class fifo_file write; >>>> class file { read write }; >>>> class netlink_route_socket create; >>>> class unix_stream_socket { read write }; >>>> type apmd_log_t; >>>> type cupsd_config_t; >>>> type cupsd_t; >>>> type dovecot_auth_t; >>>> type dovecot_t; >>>> type etc_mail_t; >>>> type etc_runtime_t; >>>> type hald_t; >>>> type home_root_t; >>>> type hostname_t; >>>> type restorecon_t; >>>> type semanage_t; >>>> type unconfined_t; >>>> type user_home_dir_t; >>>> type usr_t; >>>> type xdm_t; >>>> role system_r; >>>> }; >>>> >>>> allow cupsd_config_t apmd_log_t:file { read write }; >>>> allow cupsd_t apmd_log_t:file { read write }; >>>> allow dovecot_auth_t self:netlink_route_socket create; >>>> allow dovecot_t etc_runtime_t:file read; >>>> allow dovecot_t unconfined_t:fifo_file write; >>>> allow dovecot_t xdm_t:fd use; >>>> allow hald_t home_root_t:dir search; >>>> allow hostname_t etc_mail_t:file read; >>>> allow hostname_t unconfined_t:fifo_file write; >>>> allow hostname_t usr_t:file read; >>>> allow hostname_t xdm_t:fd use; >>>> allow restorecon_t xdm_t:fd use; >>>> allow semanage_t unconfined_t:unix_stream_socket { read write }; >>>> allow semanage_t user_home_dir_t:dir search; >>>> >>>> When I try to load the module using "semodule -i local.pp" >>>> >>>> Iget : >>>> >>>> libsepol.module_package_read_offsets: wrong magic number for module >>>> package: expected 4185718671, got 4185718669 >>>> libsemanage.semanage_load_module: Error while reading from module >>>> file/etc/ selinux/targeted/modules/tmp/modules/toto.mod. >>>> >>>> >>> did you build a policy package correctly using the following commands: >>> >>> checkmodule -M -m local.te -o local.mod >>> semodule_package -m local.mod -o local.pp >>> semodule -i local.pp >>> >>> >>> it looks like you probably skipped the middle step.. >>> >>> > > From jbrindle at tresys.com Fri Oct 6 18:59:27 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Fri, 06 Oct 2006 14:59:27 -0400 Subject: Trouble with module In-Reply-To: <4526A6B7.8090400@pierre.juhen> References: <4822015.335571160118709458.JavaMail.www@wwinf1506> <452645F8.6070103@tresys.com> <4526A6B7.8090400@pierre.juhen> Message-ID: <1160161167.2905.24.camel@twoface.columbia.tresys.com> On Fri, 2006-10-06 at 20:55 +0200, Pierre JUHEN wrote: > I did semodule -r toto : > > libsepol.module_package_read_offsets: wrong magic number for module > package: expected 4185718671, got 4185718669 > libsemanage.semanage_load_module: Error while reading from module file > /etc/selinux/targeted/modules/tmp/modules/toto.mod. > semodule: Failed! > > semodule -r local > > libsemanage.semanage_direct_remove: Module local was not found. > semodule: Failed on local! > > [root at pierre ~]# ls -lZ /etc/selinux/targeted/modules/active/modules > -rw-r--r-- root root root:object_r:semanage_store_t toto.mod > -rw-r--r-- root root root:object_r:semanage_store_t toto.pp > -rw-r--r-- root root system_u:object_r:semanage_store_t toto.te > > I don't understand. > > Thank you for your help. > you need to delete toto.te and toto.mod from that directory. Those should have never been there, the module directory is a private directory that only libsemanage should be writing to. > > > > Joshua Brindle a ?crit : > > Pierre JUHEN wrote: > >> No, I didn't skip the middle step. > >> > >> I have turned around this problem for days, googleized a lot, > >> I didnt find a clue. > >> > >> Why is semodule looking in a inexistant directory ? > >> > >> > > the directory is there when the operation fails. semodule copies > > everything from modules/active to modules/tmp to operate on it and > > when it reads that file (toto.mod) it fails because it is a policy > > module and not a policy package. > > > > try semodule -r toto > > > > though I don't know how that file got there in the first place, > > semodule should have never accepted it > >> I suspect a configuration problem, but where ????? > >> > >> > >>> Message du 06/10/06 04:28 > >>> De : "Joshua Brindle" > >>> A : "Pierre JUHEN" > >>> Copie ? : fedora-selinux-list at redhat.com > >>> Objet : Re: Trouble with module > >>> > >>> Pierre JUHEN wrote: > >>> > >>>> To correct error messages appearing in the audit.log, I ran the > >>>> procedure described in the audit2allow manual page. > >>>> > >>>> Here is the .te file : > >>>> > >>>> module local 1.0; > >>>> > >>>> require { > >>>> class dir search; > >>>> class fd use; > >>>> class fifo_file write; > >>>> class file { read write }; > >>>> class netlink_route_socket create; > >>>> class unix_stream_socket { read write }; > >>>> type apmd_log_t; > >>>> type cupsd_config_t; > >>>> type cupsd_t; > >>>> type dovecot_auth_t; > >>>> type dovecot_t; > >>>> type etc_mail_t; > >>>> type etc_runtime_t; > >>>> type hald_t; > >>>> type home_root_t; > >>>> type hostname_t; > >>>> type restorecon_t; > >>>> type semanage_t; > >>>> type unconfined_t; > >>>> type user_home_dir_t; > >>>> type usr_t; > >>>> type xdm_t; > >>>> role system_r; > >>>> }; > >>>> > >>>> allow cupsd_config_t apmd_log_t:file { read write }; > >>>> allow cupsd_t apmd_log_t:file { read write }; > >>>> allow dovecot_auth_t self:netlink_route_socket create; > >>>> allow dovecot_t etc_runtime_t:file read; > >>>> allow dovecot_t unconfined_t:fifo_file write; > >>>> allow dovecot_t xdm_t:fd use; > >>>> allow hald_t home_root_t:dir search; > >>>> allow hostname_t etc_mail_t:file read; > >>>> allow hostname_t unconfined_t:fifo_file write; > >>>> allow hostname_t usr_t:file read; > >>>> allow hostname_t xdm_t:fd use; > >>>> allow restorecon_t xdm_t:fd use; > >>>> allow semanage_t unconfined_t:unix_stream_socket { read write }; > >>>> allow semanage_t user_home_dir_t:dir search; > >>>> > >>>> When I try to load the module using "semodule -i local.pp" > >>>> > >>>> Iget : > >>>> > >>>> libsepol.module_package_read_offsets: wrong magic number for module > >>>> package: expected 4185718671, got 4185718669 > >>>> libsemanage.semanage_load_module: Error while reading from module > >>>> file/etc/ selinux/targeted/modules/tmp/modules/toto.mod. > >>>> > >>>> > >>> did you build a policy package correctly using the following commands: > >>> > >>> checkmodule -M -m local.te -o local.mod > >>> semodule_package -m local.mod -o local.pp > >>> semodule -i local.pp > >>> > >>> > >>> it looks like you probably skipped the middle step.. > >>> > >>> > > > > > From jbrindle at tresys.com Fri Oct 6 19:26:06 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Fri, 06 Oct 2006 15:26:06 -0400 Subject: Trouble with module In-Reply-To: <4526AB16.1000401@pierre.juhen> References: <4822015.335571160118709458.JavaMail.www@wwinf1506> <452645F8.6070103@tresys.com> <4526A6B7.8090400@pierre.juhen> <1160161167.2905.24.camel@twoface.columbia.tresys.com> <4526AB16.1000401@pierre.juhen> Message-ID: <1160162767.2905.37.camel@twoface.columbia.tresys.com> On Fri, 2006-10-06 at 21:14 +0200, Pierre JUHEN wrote: > I cleaned the /etc/selinux/targeted/modules/active/modules directory > > Transcript session under root directory > > root at pierre ~]# cat /var/log/audit/audit.log | audit2allow -M local > Generating type enforcment file: local.te > Compiling policy > checkmodule -M -m -o local.mod local.te > semodule_package -o local.pp -m local.mod > > ******************** IMPORTANT *********************** > > In order to load this newly created policy package into the kernel, > you are required to execute > > semodule -i local.pp > > > [root at pierre ~]# semodule -i local.pp > semodule: Could not read file 'local.pp': > > ls -l local* > -rw-r--r-- 1 root root 1961 oct 6 21:06 local.mod > -rw-r--r-- 1 root root 1977 oct 6 21:06 local.pp > -rw-r--r-- 1 root root 496 oct 6 21:06 local.te > > Local.pp is here, but semodule can not read it. > > > What shoul I try now you are probably getting a denial for semanage_t to read user_home_t. Try copying local.pp to /usr/share/selinux/targeted and then running semodule -i /usr/share/selinux/targeted/local.pp From olivares14031 at yahoo.com Sat Oct 7 00:16:19 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 6 Oct 2006 17:16:19 -0700 (PDT) Subject: How do I fix the following denied avc's Message-ID: <20061007001619.70617.qmail@web52613.mail.yahoo.com> System Fedora Core 6 Test updated as of 10/06/2006 [olivares at localhost ~]$ cat /etc/fedora-release Fedora Core release 5.92 (FC6 Test3) SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts audit(1160161820.458:4): avc: denied { name_bind } for pid=1994 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket audit(1160161825.798:5): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1160161825.798:6): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1160161825.798:7): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1160161825.798:8): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1160161825.798:9): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir Thanks, Antonio From dwalsh at redhat.com Sat Oct 7 11:34:10 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 07 Oct 2006 07:34:10 -0400 Subject: How do I fix the following denied avc's In-Reply-To: <20061007001619.70617.qmail@web52613.mail.yahoo.com> References: <20061007001619.70617.qmail@web52613.mail.yahoo.com> Message-ID: <452790B2.2060600@redhat.com> Antonio Olivares wrote: > System Fedora Core 6 Test updated as of 10/06/2006 > > [olivares at localhost ~]$ cat /etc/fedora-release > Fedora Core release 5.92 (FC6 Test3) > > > SELinux: initialized (dev autofs, type autofs), uses genfs_contexts > SELinux: initialized (dev autofs, type autofs), uses genfs_contexts > audit(1160161820.458:4): avc: denied { name_bind } for pid=1994 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > audit(1160161825.798:5): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1160161825.798:6): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1160161825.798:7): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1160161825.798:8): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1160161825.798:9): avc: denied { search } for pid=2152 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > > > The latest policy should have these rules. So yum update should fix. You can also use audit2allow to build a loadable policy module grep avc /var/log/audit/audit.log | audit2allow -M local > Thanks, > > Antonio > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From selinux at gmail.com Sat Oct 7 17:29:53 2006 From: selinux at gmail.com (Tom London) Date: Sat, 7 Oct 2006 10:29:53 -0700 Subject: AVCs from today's update... Message-ID: <4c4ba1530610071029x3828262ckde60780c72fb40ad@mail.gmail.com> Running rawhide, targeted/enforcing. pirut update (selected 'update' from tray icon) of today's packages produced the following AVCs: type=AVC msg=audit(1160241847.264:23): avc: denied { use } for pid=3510 comm="groupadd" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=AVC msg=audit(1160241847.264:23): avc: denied { use } for pid=3510 comm="groupadd" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=SYSCALL msg=audit(1160241847.264:23): arch=40000003 syscall=11 success=yes exit=0 a0=9b23160 a1=9b22580 a2=9b232c0 a3=9b22f58 items=0 ppid=3509 pid=3510 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 key=(null) type=AVC_PATH msg=audit(1160241847.264:23): path="pipe:[12624]" type=AVC_PATH msg=audit(1160241847.264:23): path="pipe:[12624]" type=AVC msg=audit(1160241932.886:24): avc: denied { use } for pid=3563 comm="depmod" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=AVC msg=audit(1160241932.886:24): avc: denied { use } for pid=3563 comm="depmod" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=SYSCALL msg=audit(1160241932.886:24): arch=40000003 syscall=11 success=yes exit=0 a0=8b94460 a1=8b864d8 a2=8b89d78 a3=8b946c8 items=0 ppid=3550 pid=3563 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1160241932.886:24): path="pipe:[12624]" type=AVC_PATH msg=audit(1160241932.886:24): path="pipe:[12624]" type=AVC msg=audit(1160241933.218:25): avc: denied { use } for pid=3564 comm="mkinitrd" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=AVC msg=audit(1160241933.218:25): avc: denied { use } for pid=3564 comm="mkinitrd" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=SYSCALL msg=audit(1160241933.218:25): arch=40000003 syscall=11 success=yes exit=0 a0=8b93fb0 a1=8b864d8 a2=8b89d78 a3=8b942f0 items=0 ppid=3550 pid=3564 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160241933.218:25): path="pipe:[12624]" type=AVC_PATH msg=audit(1160241933.218:25): path="pipe:[12624]" type=AVC msg=audit(1160241947.891:26): avc: denied { use } for pid=5039 comm="semodule" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=AVC msg=audit(1160241947.891:26): avc: denied { use } for pid=5039 comm="semodule" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fd type=SYSCALL msg=audit(1160241947.891:26): arch=40000003 syscall=11 success=yes exit=0 a0=8d527e0 a1=8d54828 a2=8d54768 a3=8d53090 items=0 ppid=5038 pid=5039 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="semodule" exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null) type=AVC_PATH msg=audit(1160241947.891:26): path="pipe:[12624]" type=AVC_PATH msg=audit(1160241947.891:26): path="pipe:[12624]" type=MAC_POLICY_LOAD msg=audit(1160241953.404:27): policy loaded auid=500 type=SYSCALL msg=audit(1160241953.404:27): arch=40000003 syscall=4 success=yes exit=988177 a0=4 a1=b7ed6000 a2=f1411 a3=bfa84ff8 items=0 ppid=5039 pid=5041 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 key=(null) type=AVC msg=audit(1160241954.796:28): avc: denied { write } for pid=5073 comm="restorecon" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=AVC msg=audit(1160241954.796:28): avc: denied { write } for pid=5073 comm="restorecon" name="[12624]" dev=pipefs ino=12624 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160241954.796:28): arch=40000003 syscall=11 success=yes exit=0 a0=8550998 a1=8550c18 a2=8545bd8 a3=85506c0 items=0 ppid=5045 pid=5073 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="restorecon" exe="/sbin/restorecon" subj=system_u:system_r:restorecon_t:s0 key=(null) type=AVC_PATH msg=audit(1160241954.796:28): path="pipe:[12624]" type=AVC_PATH msg=audit(1160241954.796:28): path="pipe:[12624]" -- Tom London From selinux at gmail.com Sat Oct 7 17:38:26 2006 From: selinux at gmail.com (Tom London) Date: Sat, 7 Oct 2006 10:38:26 -0700 Subject: /media/\.hal-.* Message-ID: <4c4ba1530610071038p2e5eb3f7xd827743a26b371a4@mail.gmail.com> Get this after today's policy update: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /media/\.hal-.*. -- Tom London From gene at czarc.net Sun Oct 8 19:32:04 2006 From: gene at czarc.net (Gene Czarcinski) Date: Sun, 8 Oct 2006 15:32:04 -0400 Subject: FC6 SELinux issues In-Reply-To: <452516DE.2060804@redhat.com> References: <200610041709.08994.gene@czarc.net> <200610041911.22792.gene@czarc.net> <452516DE.2060804@redhat.com> Message-ID: <200610081532.04747.gene@czarc.net> On Thursday 05 October 2006 10:29, Daniel J Walsh wrote: > MLS Policy is a server only policy. ?IE We don not support X-Windows. ? > So if you want to change to MLS you need to remove all X-Windows > software and relabel. ?Then it should work, but you need to understand > how an MLS environment works. OK, I have setup something I consider to be server oriented (no X). I get a bunch of avc denied messages (permissive mode). https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209950 > > Strict policy is not heavily tested in Fedora. ?Most people run > targeted. ?We will look at any problems that you have with it, though. Most of the problems in mls mode seem to be the same in strict mode. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209949 I assume that strict mode should be capable of running X ... true or false? -- Gene From jbrindle at tresys.com Mon Oct 9 12:44:03 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Mon, 09 Oct 2006 08:44:03 -0400 Subject: SELinux Symposium CFP extended Message-ID: <1160397843.16814.5.camel@twoface.columbia.tresys.com> We have extended the SELinux Symposium call for papers to Next Monday, October 16, 2006. At that time all papers must be submitted to be considered. Thank you and we look forward to seeing your submissions. Joshua Brindle From cpebenito at tresys.com Mon Oct 9 14:05:28 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Mon, 09 Oct 2006 10:05:28 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610081532.04747.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610041911.22792.gene@czarc.net> <452516DE.2060804@redhat.com> <200610081532.04747.gene@czarc.net> Message-ID: <1160402728.20774.9.camel@sgc> On Sun, 2006-10-08 at 15:32 -0400, Gene Czarcinski wrote: > On Thursday 05 October 2006 10:29, Daniel J Walsh wrote: > > Strict policy is not heavily tested in Fedora. Most people run > > targeted. We will look at any problems that you have with it, though. > > Most of the problems in mls mode seem to be the same in strict mode. That is not surprising since the mls policy is a subset of the strict policy with MLS policy enabled. > I assume that strict mode should be capable of running X ... true or > false? Strictly speaking (no pun intended) yes, since it does have the xserver module. In reality, it probably still has issues since very few desktop users want a strict policy, so it is untested. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From gene at czarc.net Mon Oct 9 20:40:59 2006 From: gene at czarc.net (Gene Czarcinski) Date: Mon, 9 Oct 2006 16:40:59 -0400 Subject: FC6 SELinux issues In-Reply-To: <1160402728.20774.9.camel@sgc> References: <200610041709.08994.gene@czarc.net> <200610081532.04747.gene@czarc.net> <1160402728.20774.9.camel@sgc> Message-ID: <200610091640.59995.gene@czarc.net> On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote: > > I assume that strict mode should be capable of running X ... true or > > false? > > Strictly speaking (no pun intended) yes, since it does have the xserver > module. ?In reality, it probably still has issues since very few desktop > users want a strict policy, so it is untested. While a server may not have a good display directly attached, it would be useful to run X remotely since some of the system configuration tools are gui only ... for example, selinux. -- Gene From ynakam at hitachisoft.jp Tue Oct 10 00:02:29 2006 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Tue, 10 Oct 2006 09:02:29 +0900 Subject: No type=PATH record in FC6 audit? In-Reply-To: <1160144995.12253.63.camel@moss-spartans.epoch.ncsc.mil> References: <1160144995.12253.63.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20061010090229.d7564556.ynakam@hitachisoft.jp> On Fri, 06 Oct 2006 10:29:55 -0400 Stephen Smalley wrote: > > I am playing with FC6-test3. > > I installed audit, > > and found that type=PATH record does not appear in audit.log, > > when access is denied by SELinux. > > > > Will type=PATH record disappear in FC6? > If you define any audit rules via auditctl (or put them > into /etc/audit/audit.rules for loading upon startup), then you should > see them again. There is an optimization in the audit system to disable > collection of audit data like paths if there are no audit rules to avoid > the overhead associated with such collection. This means you need at > least one audit rule defined to get that information. I have tried it now. PATH entry appeared by adding dummy audit rule. Thank you. Yuichi From method at gentoo.org Tue Oct 10 01:22:50 2006 From: method at gentoo.org (Joshua Brindle) Date: Mon, 09 Oct 2006 21:22:50 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610091640.59995.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610081532.04747.gene@czarc.net> <1160402728.20774.9.camel@sgc> <200610091640.59995.gene@czarc.net> Message-ID: <452AF5EA.4000702@gentoo.org> Gene Czarcinski wrote: > On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote: > >>> I assume that strict mode should be capable of running X ... true or >>> false? >>> >> Strictly speaking (no pun intended) yes, since it does have the xserver >> module. In reality, it probably still has issues since very few desktop >> users want a strict policy, so it is untested. >> > > While a server may not have a good display directly attached, it would be > useful to run X remotely since some of the system configuration tools are gui > only ... for example, selinux. > running X apps that are exported to a remote machine isn't the same thing as running an Xserver on the local machine. From gene at czarc.net Tue Oct 10 01:57:53 2006 From: gene at czarc.net (Gene Czarcinski) Date: Mon, 9 Oct 2006 21:57:53 -0400 Subject: FC6 SELinux issues In-Reply-To: <452AF5EA.4000702@gentoo.org> References: <200610041709.08994.gene@czarc.net> <200610091640.59995.gene@czarc.net> <452AF5EA.4000702@gentoo.org> Message-ID: <200610092157.53210.gene@czarc.net> On Monday 09 October 2006 21:22, Joshua Brindle wrote: > Gene Czarcinski wrote: > > On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote: > > ? > > > >>> I assume that strict mode should be capable of running X ... true or > >>> false? > >>> ? ? ? > >> > >> Strictly speaking (no pun intended) yes, since it does have the xserver > >> module. ?In reality, it probably still has issues since very few desktop > >> users want a strict policy, so it is untested. > >> ? ? > > > > While a server may not have a good display directly attached, it would be > > useful to run X remotely since some of the system configuration tools are > > gui only ... for example, selinux. > > ? > > running X apps that are exported to a remote machine isn't the same > thing as running an Xserver on the local machine. Yes, but I was told not to install X (it was not supported). If it is "only" the running of Xserver that is not supported with strict or mls policies, then I can live with that. However, running Xserver will need to be supported to be competitive with TSOL. -- Gene From cpebenito at tresys.com Tue Oct 10 13:17:41 2006 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Tue, 10 Oct 2006 09:17:41 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610092157.53210.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610091640.59995.gene@czarc.net> <452AF5EA.4000702@gentoo.org> <200610092157.53210.gene@czarc.net> Message-ID: <1160486261.20774.30.camel@sgc> On Mon, 2006-10-09 at 21:57 -0400, Gene Czarcinski wrote: > On Monday 09 October 2006 21:22, Joshua Brindle wrote: > > Gene Czarcinski wrote: > > > On Monday 09 October 2006 10:05, Christopher J. PeBenito wrote: > > > > > > > > >>> I assume that strict mode should be capable of running X ... true or > > >>> false? > > >>> > > >> > > >> Strictly speaking (no pun intended) yes, since it does have the xserver > > >> module. In reality, it probably still has issues since very few desktop > > >> users want a strict policy, so it is untested. > > >> > > > > > > While a server may not have a good display directly attached, it would be > > > useful to run X remotely since some of the system configuration tools are > > > gui only ... for example, selinux. > > > > > > > running X apps that are exported to a remote machine isn't the same > > thing as running an Xserver on the local machine. > > Yes, but I was told not to install X (it was not supported). If it is "only" > the running of Xserver that is not supported with strict or mls policies, > then I can live with that. However, running Xserver will need to be > supported to be competitive with TSOL. I believe that you are confusing "supported" w.r.t. Red Hat and "supported" w.r.t. SELinux itself. I believe Red Hat only supports the strict policy on RHEL and only with a support contract. I'm guessing it will probably be same for the MLS/LSPP policy. As for SELinux in general, X servers can work on the strict policy, it just hasn't had much testing with the 2.* (reference policy-based) policies. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From dnedrow at usa.net Tue Oct 10 13:23:13 2006 From: dnedrow at usa.net (David Nedrow) Date: Tue, 10 Oct 2006 09:23:13 -0400 Subject: FC5, SELinux strict, and kickstart Message-ID: <2299B427-3FA4-493C-B0A3-97BEBB79910A@usa.net> Has anyone successfully installed FC5 while specifying the strict policy via kickstart? I've made the changes recommended in the FC5 SELinux FAQ (adding % package entry for selinux-policy-strict and lokkit/touch lines to kickstart), but when the system boots everything seems to hang. If I boot permissive, I see a ton of entries in the audit log that appear to relate to virtually every step of the boot process. The odd thing is, if I install manually from the DVD, everything works fine. It's only when I try an automated network build that things seem to fall apart. Does this question more properly belong to the kickstart list? Any help will be appreciated. -David From shin216 at xf7.so-net.ne.jp Tue Oct 10 14:32:50 2006 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Tue, 10 Oct 2006 23:32:50 +0900 Subject: FC5, SELinux strict, and kickstart In-Reply-To: <2299B427-3FA4-493C-B0A3-97BEBB79910A@usa.net> References: <2299B427-3FA4-493C-B0A3-97BEBB79910A@usa.net> Message-ID: <1160490771.2664.13.camel@mama.intrajp-yokosuka.co.jp> I run a server on strict policy. I tell you what I did. First you should put your network plug off. And set permissive strict. And you should make a module by /var/log/messages And reboot. Then you should make a module by audit.log You should make a module every service, because you want to make it strict. I suggest you to make it Enforcing and every time you get denied messages, you allow one by one. You can consule SELinux FAQ or Mr. Dan Walsh's blog. I struggled on cron for a month, but you can consult interfaces conserning cron. I advise you take advantage on interfaces. Patience is all you need. You will be rewarded. Anyway, strict policy I heard not tested well, so, if you succeeded, please let us know. I somehow managed apache,mysql,postgresql, dns,no-ip(my original)... And remember no one can complain what you did. Security is a private issue but don't bother anybody. 2006-10-10 (?) ? 09:23 -0400 ? David Nedrow ????????: > Has anyone successfully installed FC5 while specifying the strict > policy via kickstart? > > I've made the changes recommended in the FC5 SELinux FAQ (adding % > package entry for selinux-policy-strict and lokkit/touch lines to > kickstart), but when the system boots everything seems to hang. If I > boot permissive, I see a ton of entries in the audit log that appear > to relate to virtually every step of the boot process. > > The odd thing is, if I install manually from the DVD, everything > works fine. It's only when I try an automated network build that > things seem to fall apart. > > > Does this question more properly belong to the kickstart list? > > Any help will be appreciated. > > -David > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Wed Oct 11 13:40:10 2006 From: selinux at gmail.com (Tom London) Date: Wed, 11 Oct 2006 06:40:10 -0700 Subject: AVCs from pup(let) on kernel package installs Message-ID: <4c4ba1530610110640n503949a3q9947776607c28639@mail.gmail.com> Running yesterday's rawhide, targeted/permissive. Installing today's rawhide updates using the pup system tray icon (e.g., selecting 'Apply updates' from the icon): [root at localhost ~]# audit2allow -i log allow bootloader_t xdm_t:fifo_file { getattr write }; allow depmod_t xdm_t:fifo_file write; allow lvm_t xdm_t:fifo_file write; [root at localhost ~]# Appears to be a problem (missing transition?) when installing kernel packages. In today's updates, I updated kernel, kernel-PAE and kernel-xen packages and got the following. I tried to associate the AVC's with the packages (not 100% sure on the associations): kernel: type=AVC msg=audit(1160573358.763:32): avc: denied { write } for pid=3714 comm="depmod" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573358.763:32): arch=40000003 syscall=11 success=yes exit=0 a0=9d1c318 a1=9d0e4d8 a2=9d11ce0 a3=9d1c648 items=0 ppid=3706 pid=3714 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1160573358.763:32): path="pipe:[12557]" type=AVC msg=audit(1160573359.115:33): avc: denied { write } for pid=3715 comm="mkinitrd" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573359.115:33): arch=40000003 syscall=11 success=yes exit=0 a0=9d1be40 a1=9d0e4d8 a2=9d11ce0 a3=9d1c358 items=0 ppid=3706 pid=3715 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573359.115:33): path="pipe:[12557]" type=AVC msg=audit(1160573359.159:34): avc: denied { getattr } for pid=3722 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573359.159:34): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bf999684 a2=4765cff4 a3=bf999684 items=0 ppid=3720 pid=3722 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573359.159:34): path="pipe:[12557]" type=AVC msg=audit(1160573362.655:35): avc: denied { write } for pid=4181 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573362.655:35): arch=40000003 syscall=11 success=yes exit=0 a0=870f468 a1=873e160 a2=8736d88 a3=873dec8 items=0 ppid=4180 pid=4181 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573362.655:35): path="pipe:[12557]" kernel-PAE type=AVC msg=audit(1160573388.537:36): avc: denied { getattr } for pid=5609 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573388.537:36): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff0dc04 a2=4765cff4 a3=bff0dc04 items=0 ppid=5606 pid=5609 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573388.537:36): path="pipe:[12557]" type=AVC msg=audit(1160573389.721:37): avc: denied { write } for pid=5905 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573389.721:37): arch=40000003 syscall=11 success=yes exit=0 a0=8c961c0 a1=8ca0818 a2=8c97da0 a3=8c6bae0 items=0 ppid=5904 pid=5905 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573389.721:37): path="pipe:[12557]" kernel-xen type=AVC msg=audit(1160573388.537:36): avc: denied { getattr } for pid=5609 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573388.537:36): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff0dc04 a2=4765cff4 a3=bff0dc04 items=0 ppid=5606 pid=5609 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573388.537:36): path="pipe:[12557]" type=AVC msg=audit(1160573389.721:37): avc: denied { write } for pid=5905 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573389.721:37): arch=40000003 syscall=11 success=yes exit=0 a0=8c961c0 a1=8ca0818 a2=8c97da0 a3=8c6bae0 items=0 ppid=5904 pid=5905 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573389.721:37): path="pipe:[12557]" type=AVC msg=audit(1160573445.578:38): avc: denied { write } for pid=7354 comm="depmod" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.578:38): arch=40000003 syscall=11 success=yes exit=0 a0=842e460 a1=84204d8 a2=8423d78 a3=842e6c8 items=0 ppid=7341 pid=7354 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.578:38): path="pipe:[12557]" type=AVC msg=audit(1160573445.854:39): avc: denied { write } for pid=7355 comm="mkinitrd" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.854:39): arch=40000003 syscall=11 success=yes exit=0 a0=842dfb0 a1=84204d8 a2=8423d78 a3=842e2f0 items=0 ppid=7341 pid=7355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.854:39): path="pipe:[12557]" type=AVC msg=audit(1160573449.574:40): avc: denied { getattr } for pid=7523 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573449.574:40): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bfd34a34 a2=4765cff4 a3=bfd34a34 items=0 ppid=7520 pid=7523 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573449.574:40): path="pipe:[12557]" type=AVC msg=audit(1160573450.622:41): avc: denied { write } for pid=7819 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573450.622:41): arch=40000003 syscall=11 success=yes exit=0 a0=9f6d1c0 a1=9f77818 a2=9f6eda0 a3=9f42ae0 items=0 ppid=7818 pid=7819 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573450.622:41): path="pipe:[12557]" couldn't tell which one: type=AVC msg=audit(1160573388.537:36): avc: denied { getattr } for pid=5609 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573388.537:36): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff0dc04 a2=4765cff4 a3=bff0dc04 items=0 ppid=5606 pid=5609 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573388.537:36): path="pipe:[12557]" type=AVC msg=audit(1160573389.721:37): avc: denied { write } for pid=5905 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573389.721:37): arch=40000003 syscall=11 success=yes exit=0 a0=8c961c0 a1=8ca0818 a2=8c97da0 a3=8c6bae0 items=0 ppid=5904 pid=5905 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573389.721:37): path="pipe:[12557]" type=AVC msg=audit(1160573445.578:38): avc: denied { write } for pid=7354 comm="depmod" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.578:38): arch=40000003 syscall=11 success=yes exit=0 a0=842e460 a1=84204d8 a2=8423d78 a3=842e6c8 items=0 ppid=7341 pid=7354 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.578:38): path="pipe:[12557]" type=AVC msg=audit(1160573445.854:39): avc: denied { write } for pid=7355 comm="mkinitrd" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573445.854:39): arch=40000003 syscall=11 success=yes exit=0 a0=842dfb0 a1=84204d8 a2=8423d78 a3=842e2f0 items=0 ppid=7341 pid=7355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mkinitrd" exe="/bin/bash" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573445.854:39): path="pipe:[12557]" type=AVC msg=audit(1160573449.574:40): avc: denied { getattr } for pid=7523 comm="awk" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573449.574:40): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bfd34a34 a2=4765cff4 a3=bfd34a34 items=0 ppid=7520 pid=7523 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="awk" exe="/bin/gawk" subj=system_u:system_r:bootloader_t:s0 key=(null) type=AVC_PATH msg=audit(1160573449.574:40): path="pipe:[12557]" type=AVC msg=audit(1160573450.622:41): avc: denied { write } for pid=7819 comm="dmsetup" name="[12557]" dev=pipefs ino=12557 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1160573450.622:41): arch=40000003 syscall=11 success=yes exit=0 a0=9f6d1c0 a1=9f77818 a2=9f6eda0 a3=9f42ae0 items=0 ppid=7818 pid=7819 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dmsetup" exe="/sbin/dmsetup" subj=system_u:system_r:lvm_t:s0 key=(null) type=AVC_PATH msg=audit(1160573450.622:41): path="pipe:[12557]" tom -- Tom London From boober95 at rogers.com Fri Oct 13 01:32:20 2006 From: boober95 at rogers.com (Bill) Date: Thu, 12 Oct 2006 21:32:20 -0400 Subject: AVC deny message from sendmail? Message-ID: I've been looking at SELinux under FC5 using the 'strict' policy and was surprised to see that even in in standard desktop install 'sendmail' appears to produce a number of deny messages. I took a look at the messages to see of they were part of the policy and the first thing I found was I couldn't find the source for the policy, just if 'if' files and various modules. I did take a look at the reference policy sources, and the messages seem to be covered by various allows in that version of the strict policy, so I am a bit confused as to what is happening here. I'd like to be able to run 'strict' and not see any policy denies; but am not sure what I can do about it other than loading a brand new sendmail.te? Bill From robin-lists at robinbowes.com Fri Oct 13 15:19:00 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Fri, 13 Oct 2006 16:19:00 +0100 Subject: xen, selinux, FC5 Message-ID: Hi, I'm trying to get xen working on FC5 with SELinux enabled. # rpm -q kernel-xen0 xen selinux-policy kernel-xen0-2.6.17-1.2187_FC5 xen-3.0.2-3.FC5 selinux-policy-2.3.7-2.fc5 I'm doing it by running stuff and seeing what AVC msgs I get and creating a custom module to allow them. e.g, I run this command: audit2allow -M local -l -i /var/log/audit/audit.log Then merge any new entries from local.te into xen.te and rebuild the module: export SEAPP=xen checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod semodule -i ${SEAPP}.pp This seems to be working fine - I have FC5 installed as a host, with a guest install of FC5 running as a guest. The "snapshot" capability also works (xm save ...). This is the module I'm using: module local 1.0; require { class chr_file { read write }; class dir { add_name create search setattr write }; class fd use; class file { append create read write }; class unix_stream_socket { read write }; type home_root_t; type ifconfig_t; type local_login_t; type netutils_t; type proc_xen_t; type tmp_t; type tty_device_t; type user_home_dir_t; type user_home_t; type var_log_t; type var_run_t; type xend_t; type xend_var_log_t; role system_r; }; allow ifconfig_t var_log_t:file append; allow netutils_t proc_xen_t:file { read write }; allow netutils_t xend_t:unix_stream_socket { read write }; allow netutils_t xend_var_log_t:file { append write }; allow xend_t home_root_t:dir { search write }; allow xend_t local_login_t:fd use; allow xend_t tmp_t:dir search; allow xend_t tty_device_t:chr_file { read write }; allow xend_t user_home_dir_t:dir { search write }; allow xend_t user_home_t:dir { add_name search write }; allow xend_t user_home_t:file { create write }; allow xend_t var_run_t:dir { create setattr }; My question is: is this the right approach to getting xen (or any app) working under selinux? Or is there an easier way? Am I opening up any major security holes doing this? On other problem I've noticed is that the xendomains init script didn't start the domains at boot, or from the command-line. I've copied the new one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075 but I was seeing this error: # service xendomains start Starting auto Xen domains:Error: Disk isn't accessible This is the context of that file: -rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains I copied xendomains to xendomains.new so it has this context: -rwxr-xr-x root root root:object_r:etc_t xendomains.new And the script now works. Again, is this the (or a) correct fix? Any security problems with this? Thanks, R. From robin-lists at robinbowes.com Fri Oct 13 15:48:16 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Fri, 13 Oct 2006 16:48:16 +0100 Subject: xen, selinux, FC5 In-Reply-To: References: Message-ID: Robin Bowes wrote: > On other problem I've noticed is that the xendomains init script didn't > start the domains at boot, or from the command-line. I've copied the new > one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075 > but I was seeing this error: > > # service xendomains start > Starting auto Xen domains:Error: Disk isn't accessible > > This is the context of that file: > > -rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains > > I copied xendomains to xendomains.new so it has this context: > > -rwxr-xr-x root root root:object_r:etc_t xendomains.new > > And the script now works. > > Again, is this the (or a) correct fix? Any security problems with this? Hmmm. xendomains is not starting the guest instances at reboot. I see this error in send.log: [2006-10-13 16:34:28 xend] ERROR (XendBootloader:36) Disk isn't accessible I also get new AVC msgs: allow xm_t fixed_disk_device_t:blk_file read; When I add this to the policy file, i.e.: class blk_file read; type fixed_disk_device_t; type xm_t; allow xm_t fixed_disk_device_t:blk_file read; I get this error when loading the compiled policy: # semodule -i $xen.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow xm_t fixed_disk_device_t:blk_file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! Any suggestions as to how to fix this? Thanks, R. From sds at tycho.nsa.gov Fri Oct 13 15:58:10 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 13 Oct 2006 11:58:10 -0400 Subject: xen, selinux, FC5 In-Reply-To: References: Message-ID: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-10-13 at 16:48 +0100, Robin Bowes wrote: > Robin Bowes wrote: > > On other problem I've noticed is that the xendomains init script didn't > > start the domains at boot, or from the command-line. I've copied the new > > one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075 > > but I was seeing this error: > > > > # service xendomains start > > Starting auto Xen domains:Error: Disk isn't accessible > > > > This is the context of that file: > > > > -rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains > > > > I copied xendomains to xendomains.new so it has this context: > > > > -rwxr-xr-x root root root:object_r:etc_t xendomains.new > > > > And the script now works. > > > > Again, is this the (or a) correct fix? Any security problems with this? > > Hmmm. xendomains is not starting the guest instances at reboot. > > I see this error in send.log: > > [2006-10-13 16:34:28 xend] ERROR (XendBootloader:36) Disk isn't accessible > > I also get new AVC msgs: > > allow xm_t fixed_disk_device_t:blk_file read; > > When I add this to the policy file, i.e.: > > class blk_file read; > type fixed_disk_device_t; > type xm_t; > allow xm_t fixed_disk_device_t:blk_file read; > > I get this error when loading the compiled policy: > > # semodule -i $xen.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > xm_t fixed_disk_device_t:blk_file { read }; > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > Any suggestions as to how to fix this? The assertion is to prevent accidental granting of read access to a raw disk device. Is that truly required here? To allow it, you need to use the interface for it, e.g. storage_raw_read_fixed_disk(xm_t) That interface is defined in kernel/storage.if. In addition to allowing the permission, it adds a type attribute to the type that excludes from the assertion. -- Stephen Smalley National Security Agency From robin-lists at robinbowes.com Fri Oct 13 16:12:21 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Fri, 13 Oct 2006 17:12:21 +0100 Subject: xen, selinux, FC5 In-Reply-To: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: > > The assertion is to prevent accidental granting of read access to a > raw disk device. Is that truly required here? Probably - the root disk of the guest O/S instance is an lvm partition, e.g. /dev/vg01/lv_guest > To allow it, you need to use the interface for it, e.g. > storage_raw_read_fixed_disk(xm_t) That interface is defined in > kernel/storage.if. In addition to allowing the permission, it adds a > type attribute to the type that excludes from the assertion. So, what would that look like in the policy file? Thanks, R. From sds at tycho.nsa.gov Fri Oct 13 16:20:11 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 13 Oct 2006 12:20:11 -0400 Subject: xen, selinux, FC5 In-Reply-To: References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: > Stephen Smalley wrote: > > > > The assertion is to prevent accidental granting of read access to a > > raw disk device. Is that truly required here? > > Probably - the root disk of the guest O/S instance is an lvm partition, > e.g. /dev/vg01/lv_guest > > > To allow it, you need to use the interface for it, e.g. > > storage_raw_read_fixed_disk(xm_t) That interface is defined in > > kernel/storage.if. In addition to allowing the permission, it adds a > > type attribute to the type that excludes from the assertion. > > So, what would that look like in the policy file? If you build using the devel makefile (e.g. make -f /usr/share/selinux/devel/Makefile or copy it over to where you are working on your module), then you can use the interface as I described, i.e. just put storage_raw_read_fixed_disk(xm_t) in your .te file. That Makefile will pull in the headers and expand it properly. Should handle the checkmodule and semodule_package side of things, leaving you with just running semodule -i to install it once built. -- Stephen Smalley National Security Agency From robin-lists at robinbowes.com Fri Oct 13 16:25:03 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Fri, 13 Oct 2006 17:25:03 +0100 Subject: xen, selinux, FC5 In-Reply-To: <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: >> Stephen Smalley wrote: >>> The assertion is to prevent accidental granting of read access to a >>> raw disk device. Is that truly required here? >> Probably - the root disk of the guest O/S instance is an lvm partition, >> e.g. /dev/vg01/lv_guest >> >>> To allow it, you need to use the interface for it, e.g. >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in >>> kernel/storage.if. In addition to allowing the permission, it adds a >>> type attribute to the type that excludes from the assertion. >> So, what would that look like in the policy file? > > If you build using the devel makefile (e.g. make > -f /usr/share/selinux/devel/Makefile or copy it over to where you are > working on your module), then you can use the interface as I described, > i.e. just put > storage_raw_read_fixed_disk(xm_t) > in your .te file. > > That Makefile will pull in the headers and expand it properly. > Should handle the checkmodule and semodule_package side of things, > leaving you with just running semodule -i to install it once built. I'm actually doing this: Use audit2allow to identify AVC denied msgs: audit2allow -M local -l -i /var/log/audit/audit.log Copy the contents of the local.te file produced by the command to xen.te Compile and install the policy like this: export SEAPP=xen checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod semodule -i ${SEAPP}.pp Will "storage_raw_read_fixed_disk(xm_t)" fit into the class/type/role format used in the .te files? Or do I need to do something different? Thanks for your help with this. R. From sds at tycho.nsa.gov Fri Oct 13 16:39:27 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 13 Oct 2006 12:39:27 -0400 Subject: xen, selinux, FC5 In-Reply-To: References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote: > Stephen Smalley wrote: > > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: > >> Stephen Smalley wrote: > >>> The assertion is to prevent accidental granting of read access to a > >>> raw disk device. Is that truly required here? > >> Probably - the root disk of the guest O/S instance is an lvm partition, > >> e.g. /dev/vg01/lv_guest > >> > >>> To allow it, you need to use the interface for it, e.g. > >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in > >>> kernel/storage.if. In addition to allowing the permission, it adds a > >>> type attribute to the type that excludes from the assertion. > >> So, what would that look like in the policy file? > > > > If you build using the devel makefile (e.g. make > > -f /usr/share/selinux/devel/Makefile or copy it over to where you are > > working on your module), then you can use the interface as I described, > > i.e. just put > > storage_raw_read_fixed_disk(xm_t) > > in your .te file. > > > > That Makefile will pull in the headers and expand it properly. > > Should handle the checkmodule and semodule_package side of things, > > leaving you with just running semodule -i to install it once built. > > I'm actually doing this: > > Use audit2allow to identify AVC denied msgs: > > audit2allow -M local -l -i /var/log/audit/audit.log > > Copy the contents of the local.te file produced by the command to xen.te > > Compile and install the policy like this: > > export SEAPP=xen > checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te > semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod > semodule -i ${SEAPP}.pp > > Will "storage_raw_read_fixed_disk(xm_t)" fit into the class/type/role > format used in the .te files? Or do I need to do something different? You need to do something different if you want to use refpolicy interfaces (which are presently m4 macros, but will eventually be first class constructs in the language that will be handled at link time); storage_raw_read_fixed_disk() is such an interface. The easiest thing to do is to use the devel Makefile. Instead of manually running checkmodule and semodule_package, you just do: mkdir xen cp xen.te xen/ cd xen make -f /usr/share/selinux/devel/Makefile The Makefile will then handle pulling in the refpolicy interface headers, applying m4, running checkmodule on the result, and running semodule_package, leaving you with a xen.pp file that you can install. -- Stephen Smalley National Security Agency From robin-lists at robinbowes.com Fri Oct 13 18:51:53 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Fri, 13 Oct 2006 19:51:53 +0100 Subject: xen, selinux, FC5 In-Reply-To: <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: > You need to do something different if you want to use refpolicy > interfaces (which are presently m4 macros, but will eventually be first > class constructs in the language that will be handled at link time); > storage_raw_read_fixed_disk() is such an interface. The easiest thing > to do is to use the devel Makefile. Instead of manually running > checkmodule and semodule_package, you just do: > mkdir xen > cp xen.te xen/ > cd xen > make -f /usr/share/selinux/devel/Makefile > > The Makefile will then handle pulling in the refpolicy interface > headers, applying m4, running checkmodule on the result, and running > semodule_package, leaving you with a xen.pp file that you can install. > Ok, I followed those instructions using the following .te file: module local 1.0; require { class blk_file read; class chr_file { read write }; class dir { add_name create search setattr write }; class fd use; class file { append create read write }; class unix_stream_socket { read write }; type fixed_disk_device_t; type home_root_t; type ifconfig_t; type local_login_t; type netutils_t; type proc_xen_t; type tmp_t; type tty_device_t; type user_home_dir_t; type user_home_t; type var_log_t; type var_run_t; type xend_t; type xend_var_log_t; type xm_t; role system_r; }; allow ifconfig_t var_log_t:file append; allow netutils_t proc_xen_t:file { read write }; allow netutils_t xend_t:unix_stream_socket { read write }; allow netutils_t xend_var_log_t:file { append write }; allow xend_t home_root_t:dir { search write }; allow xend_t local_login_t:fd use; allow xend_t tmp_t:dir search; allow xend_t tty_device_t:chr_file { read write }; allow xend_t user_home_dir_t:dir { search write }; allow xend_t user_home_t:dir { add_name search write }; allow xend_t user_home_t:file { create write }; allow xend_t var_run_t:dir { create setattr }; allow xm_t fixed_disk_device_t:blk_file read; When I tried to install the module, I got this error: # semodule -i xen.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow xm_t fixed_disk_device_t:blk_file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! What am I doing wrong? Thanks, R. From sds at tycho.nsa.gov Fri Oct 13 19:15:30 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 13 Oct 2006 15:15:30 -0400 Subject: xen, selinux, FC5 In-Reply-To: References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1160766930.14346.155.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote: > Stephen Smalley wrote: > > You need to do something different if you want to use refpolicy > > interfaces (which are presently m4 macros, but will eventually be first > > class constructs in the language that will be handled at link time); > > storage_raw_read_fixed_disk() is such an interface. The easiest thing > > to do is to use the devel Makefile. Instead of manually running > > checkmodule and semodule_package, you just do: > > mkdir xen > > cp xen.te xen/ > > cd xen > > make -f /usr/share/selinux/devel/Makefile > > > > The Makefile will then handle pulling in the refpolicy interface > > headers, applying m4, running checkmodule on the result, and running > > semodule_package, leaving you with a xen.pp file that you can install. > > > > Ok, I followed those instructions using the following .te file: > > module local 1.0; > > require { > class blk_file read; > class chr_file { read write }; > class dir { add_name create search setattr write }; > class fd use; > class file { append create read write }; > class unix_stream_socket { read write }; > type fixed_disk_device_t; > type home_root_t; > type ifconfig_t; > type local_login_t; > type netutils_t; > type proc_xen_t; > type tmp_t; > type tty_device_t; > type user_home_dir_t; > type user_home_t; > type var_log_t; > type var_run_t; > type xend_t; > type xend_var_log_t; > type xm_t; > role system_r; > }; > > allow ifconfig_t var_log_t:file append; > allow netutils_t proc_xen_t:file { read write }; > allow netutils_t xend_t:unix_stream_socket { read write }; > allow netutils_t xend_var_log_t:file { append write }; > allow xend_t home_root_t:dir { search write }; > allow xend_t local_login_t:fd use; > allow xend_t tmp_t:dir search; > allow xend_t tty_device_t:chr_file { read write }; > allow xend_t user_home_dir_t:dir { search write }; > allow xend_t user_home_t:dir { add_name search write }; > allow xend_t user_home_t:file { create write }; > allow xend_t var_run_t:dir { create setattr }; > allow xm_t fixed_disk_device_t:blk_file read; > > > When I tried to install the module, I got this error: > > # semodule -i xen.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > xm_t fixed_disk_device_t:blk_file { read }; > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > What am I doing wrong? >From the above, you are still directly allowing read access to a fixed disk device rather than using the storage_raw_read_fixed_disk() interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file read;' statement with: storage_raw_read_fixed_disk(xm_t) That was the point of switching to using the devel Makefile, so that you could use the above interface. Which already expands to the necessary declarations and rules to allow the access without violating the assertion/neverallow rule. There isn't anything magic here; it is just that storage_raw_read_fixed_disk() as defined in /usr/share/selinux/devel/include/kernel/storage.if already expands to the right set of rules, and by using it, you insulate yourself from the policy details that might change over time or between systems. Same thing applies to all of your rules; if there is already an interface for that purpose, you are better off using it. -- Stephen Smalley National Security Agency From robin-lists at robinbowes.com Fri Oct 13 19:31:22 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Fri, 13 Oct 2006 20:31:22 +0100 Subject: xen, selinux, FC5 In-Reply-To: <1160766930.14346.155.camel@moss-spartans.epoch.ncsc.mil> References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> <1160766930.14346.155.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Stephen Smalley wrote: > On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote: >> allow xm_t fixed_disk_device_t:blk_file read; > >>From the above, you are still directly allowing read access to a fixed > disk device rather than using the storage_raw_read_fixed_disk() > interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file > read;' statement with: > storage_raw_read_fixed_disk(xm_t) Ah, right. That was what I was missing. I removed that line and ran the make and got these errors: ]# make -f /usr/share/selinux/devel/Makefile Compiling targeted xen module /usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp xen.te:40:ERROR 'permission read is not defined for class dir' at token ';' on line 59080: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 40 xen.te:40:ERROR 'permission getattr is not defined for class dir' at token ';' on line 59080: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 40 xen.te:40:ERROR 'permission lock is not defined for class dir' at token ';' on line 59080: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 40 xen.te:40:ERROR 'permission ioctl is not defined for class dir' at token ';' on line 59080: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 40 xen.te:40:ERROR 'unknown class lnk_file used in rule' at token ';' on line 59082: allow xm_t device_t:lnk_file { getattr read }; #line 40 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/xen.mod] Error 1 So, I removed all the lines I put in relating to the raw read. My xen.te now looks like this: module local 1.0; require { class chr_file { read write }; class dir { add_name create search setattr write }; class fd use; class file { append create read write }; class unix_stream_socket { read write }; type home_root_t; type ifconfig_t; type local_login_t; type netutils_t; type proc_xen_t; type tmp_t; type tty_device_t; type user_home_dir_t; type user_home_t; type var_log_t; type var_run_t; type xend_t; type xend_var_log_t; role system_r; }; allow ifconfig_t var_log_t:file append; allow netutils_t proc_xen_t:file { read write }; allow netutils_t xend_t:unix_stream_socket { read write }; allow netutils_t xend_var_log_t:file { append write }; allow xend_t home_root_t:dir { search write }; allow xend_t local_login_t:fd use; allow xend_t tmp_t:dir search; allow xend_t tty_device_t:chr_file { read write }; allow xend_t user_home_dir_t:dir { search write }; allow xend_t user_home_t:dir { add_name search write }; allow xend_t user_home_t:file { create write }; allow xend_t var_run_t:dir { create setattr }; storage_raw_read_fixed_disk(xm_t) Running the make produces this error: # make -f /usr/share/selinux/devel/Makefile Compiling targeted xen module /usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp xen.te:37:ERROR 'unknown type xm_t' at token ';' on line 59091: #line 37 typeattribute xm_t fixed_disk_raw_read; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/xen.mod] Error 1 I tried putting back "type xm_t" but get these errors: # make -f /usr/share/selinux/devel/Makefile Compiling targeted xen module /usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp xen.te:38:ERROR 'permission read is not defined for class dir' at token ';' on line 59078: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 38 xen.te:38:ERROR 'permission getattr is not defined for class dir' at token ';' on line 59078: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 38 xen.te:38:ERROR 'permission lock is not defined for class dir' at token ';' on line 59078: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 38 xen.te:38:ERROR 'permission ioctl is not defined for class dir' at token ';' on line 59078: allow xm_t device_t:dir { read getattr lock search ioctl }; #line 38 xen.te:38:ERROR 'unknown class lnk_file used in rule' at token ';' on line 59080: allow xm_t device_t:lnk_file { getattr read }; #line 38 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/xen.mod] Error 1 I found I had to add all the missing classes and permissions. This version of xen.te builds and installs cleanly: module local 1.0; require { class blk_file { read getattr lock ioctl }; class chr_file { read write }; class dir { add_name create search setattr write read getattr lock ioctl }; class fd use; class file { append create read write }; class lnk_file { getattr read }; class unix_stream_socket { read write }; type home_root_t; type ifconfig_t; type local_login_t; type netutils_t; type proc_xen_t; type tmp_t; type tty_device_t; type user_home_dir_t; type user_home_t; type var_log_t; type var_run_t; type xend_t; type xend_var_log_t; type xm_t; role system_r; }; allow ifconfig_t var_log_t:file append; allow netutils_t proc_xen_t:file { read write }; allow netutils_t xend_t:unix_stream_socket { read write }; allow netutils_t xend_var_log_t:file { append write }; allow xend_t home_root_t:dir { search write }; allow xend_t local_login_t:fd use; allow xend_t tmp_t:dir search; allow xend_t tty_device_t:chr_file { read write }; allow xend_t user_home_dir_t:dir { search write }; allow xend_t user_home_t:dir { add_name search write }; allow xend_t user_home_t:file { create write }; allow xend_t var_run_t:dir { create setattr }; storage_raw_read_fixed_disk(xm_t) > That was the point of switching to using the devel Makefile, so that you > could use the above interface. Which already expands to the necessary > declarations and rules to allow the access without violating the > assertion/neverallow rule. > > There isn't anything magic here; it is just that > storage_raw_read_fixed_disk() as defined > in /usr/share/selinux/devel/include/kernel/storage.if already expands to > the right set of rules, and by using it, you insulate yourself from the > policy details that might change over time or between systems. Same > thing applies to all of your rules; if there is already an interface for > that purpose, you are better off using it. So, how do I find out more about this? How would I know that interfaces like storage_raw_read_fixed_disk(xm_t) exist, and what they mean? Thanks for all your help, R. From sds at tycho.nsa.gov Fri Oct 13 19:43:21 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 13 Oct 2006 15:43:21 -0400 Subject: xen, selinux, FC5 In-Reply-To: References: <1160755090.14346.67.camel@moss-spartans.epoch.ncsc.mil> <1160756411.14346.71.camel@moss-spartans.epoch.ncsc.mil> <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> <1160766930.14346.155.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1160768601.14346.177.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-10-13 at 20:31 +0100, Robin Bowes wrote: > Stephen Smalley wrote: > > On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote: > >> allow xm_t fixed_disk_device_t:blk_file read; > > > >>From the above, you are still directly allowing read access to a fixed > > disk device rather than using the storage_raw_read_fixed_disk() > > interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file > > read;' statement with: > > storage_raw_read_fixed_disk(xm_t) > > Ah, right. That was what I was missing. > > I removed that line and ran the make and got these errors: > > I found I had to add all the missing classes and permissions. Or, alternatively, replace: module local 1.0; with the standard module prologue: policy_module(local, 1.0) This brings in the class/permission requires automatically. > This version of xen.te builds and installs cleanly: > So, how do I find out more about this? How would I know that interfaces > like storage_raw_read_fixed_disk(xm_t) exist, and what they mean? Interface documentation is under /usr/share/doc/selinux-policy-x.y.z/html/index.html. /usr/share/selinux/devel/policyhelp is a trivial one-line script to launch a browser on it. Also available at: http://oss.tresys.com/docs/refpolicy/api/ An IDE is under development. Available from: http://oss.tresys.com/projects/slide -- Stephen Smalley National Security Agency From dac at tresys.com Fri Oct 13 20:15:48 2006 From: dac at tresys.com (David Caplan) Date: Fri, 13 Oct 2006 16:15:48 -0400 Subject: xen, selinux, FC5 In-Reply-To: <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <6FE441CD9F0C0C479F2D88F959B0158844452D@exchange.columbia.tresys.com> > On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote: > > Stephen Smalley wrote: > > > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: > > >> Stephen Smalley wrote: > > >>> The assertion is to prevent accidental granting of read > access to > > >>> a raw disk device. Is that truly required here? > > >> Probably - the root disk of the guest O/S instance is an lvm > > >> partition, e.g. /dev/vg01/lv_guest > > >> > > >>> To allow it, you need to use the interface for it, e.g. > > >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in > > >>> kernel/storage.if. In addition to allowing the > permission, it adds > > >>> a type attribute to the type that excludes from the assertion. It seems like you'd want to consider a specific xen label for your guest partitions. You probably don't want to give xm_t access to all of the disks/partitions. Generally when you violate assertions you're probably allowing access you don't want (or should at least think hard about). Of course that will be a little more involved and it's probably better to get things working first with the storage_raw_read_fixed_disk() interface. I've had no luck with getting xen even to boot correctly (using the same versions you listed on FC5). It always hangs when it checks the hardware on boot and if I skip that step with an interactive boot my system gets corrupted. I'm using a vanilla Dell hardware base (works fine with the standard FC5 kernel install). Did you have any problems getting the initial system set up? I have tried installing and booting in permissive mode with the same results. David -- __________________________________ David Caplan dac at tresys.com Tresys Technology, LLC From robin-lists at robinbowes.com Fri Oct 13 21:32:39 2006 From: robin-lists at robinbowes.com (Robin Bowes) Date: Fri, 13 Oct 2006 22:32:39 +0100 Subject: xen, selinux, FC5 In-Reply-To: <6FE441CD9F0C0C479F2D88F959B0158844452D@exchange.columbia.tresys.com> References: <1160757567.14346.82.camel@moss-spartans.epoch.ncsc.mil> <6FE441CD9F0C0C479F2D88F959B0158844452D@exchange.columbia.tresys.com> Message-ID: David Caplan wrote: > >> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote: >>> Stephen Smalley wrote: >>>> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: >>>>> Stephen Smalley wrote: >>>>>> The assertion is to prevent accidental granting of read >> access to >>>>>> a raw disk device. Is that truly required here? >>>>> Probably - the root disk of the guest O/S instance is an lvm >>>>> partition, e.g. /dev/vg01/lv_guest >>>>> >>>>>> To allow it, you need to use the interface for it, e.g. >>>>>> storage_raw_read_fixed_disk(xm_t) That interface is defined in >>>>>> kernel/storage.if. In addition to allowing the >> permission, it adds >>>>>> a type attribute to the type that excludes from the assertion. > > It seems like you'd want to consider a specific xen label for your guest > partitions. You probably don't want to give xm_t access to all of the > disks/partitions. Generally when you violate assertions you're probably > allowing access you don't want (or should at least think hard about). Of > course that will be a little more involved and it's probably better to > get things working first with the storage_raw_read_fixed_disk() > interface. I have a lot to learn about SELinux. I've been managing to make things work by creating local policies, but I've always had in my mind the thought that there must be other/better ways to do it. > I've had no luck with getting xen even to boot correctly (using the same > versions you listed on FC5). It always hangs when it checks the hardware > on boot and if I skip that step with an interactive boot my system gets > corrupted. I'm using a vanilla Dell hardware base (works fine with the > standard FC5 kernel install). Did you have any problems getting the > initial system set up? I have tried installing and booting in permissive > mode with the same results. I had no problems at all apart from the SELinux stuff. Here's what I did: - FC5 kickstart install. - yum update - installed kernel-xen0 + rebooted - created lv for guest domain - installed guest domain using this command line: xenguest-install.py --name=guest --file=/dev/vg01/lv_guest_vm --ram=512 --location=http://mirrors.kernel.org/fedora/core/5/i386/os/ --extra-args="ip=192.168.23.228 netmask=255.255.255.248 gateway=192.168.23.225 dns=192.168.2.203,192.168.2.204 ks=http://example.com/kickstart/ks_guest.cfg" - copied xendomains script from Redhat somewhere (see my first post in this thread). R. From goeran at uddeborg.se Mon Oct 16 09:33:51 2006 From: goeran at uddeborg.se (=?iso-8859-1?q?G=F6ran_Uddeborg?=) Date: Mon, 16 Oct 2006 11:33:51 +0200 Subject: Why isn't root allowed to kill X servers? In-Reply-To: <1123507160.13654.151.camel@moss-spartans.epoch.ncsc.mil> References: <200508081230.j78CUhss013816@gotham.columbia.tresys.com> <1123507160.13654.151.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <17715.20991.532550.750684@freddi.uddeborg.se> When an X server hang and blocked the console of a machine earlier today I realised the policy (selinux-policy-targeted-2.3.7-2.fc5) does not allow root to kill, as in SIGKILL, X servers. time->Mon Oct 16 07:54:31 2006 type=SYSCALL msg=audit(1160978071.008:499): arch=c000003e syscall=62 success=yes exit=0 a0=8e4 a1=9 a2=9 a3=0 items=0 pid=3236 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="kill" exe="/bin/kill" subj=root:system_r:unconfined_t:s0 type=AVC msg=audit(1160978071.008:499): avc: denied { sigkill } for pid=3236 comm="kill" scontext=root:system_r:unconfined_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=process I suppose this is by design, but I'm curious over the reasoning. It's not much a root session cannot do in the targeted policy. Why is this singled out as an exception? (And is there something else I'm supposed to do with an X server that hangs and don't respond to any other signal?) From dwalsh at redhat.com Tue Oct 17 21:13:51 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 17 Oct 2006 17:13:51 -0400 Subject: Why isn't root allowed to kill X servers? In-Reply-To: <17715.20991.532550.750684@freddi.uddeborg.se> References: <200508081230.j78CUhss013816@gotham.columbia.tresys.com> <1123507160.13654.151.camel@moss-spartans.epoch.ncsc.mil> <17715.20991.532550.750684@freddi.uddeborg.se> Message-ID: <4535478F.4030608@redhat.com> G?ran Uddeborg wrote: > When an X server hang and blocked the console of a machine earlier > today I realised the policy (selinux-policy-targeted-2.3.7-2.fc5) does > not allow root to kill, as in SIGKILL, X servers. > > time->Mon Oct 16 07:54:31 2006 > type=SYSCALL msg=audit(1160978071.008:499): arch=c000003e syscall=62 success=yes exit=0 a0=8e4 a1=9 a2=9 a3=0 items=0 pid=3236 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="kill" exe="/bin/kill" subj=root:system_r:unconfined_t:s0 > type=AVC msg=audit(1160978071.008:499): avc: denied { sigkill } for pid=3236 comm="kill" scontext=root:system_r:unconfined_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=process > > I suppose this is by design, but I'm curious over the reasoning. It's > not much a root session cannot do in the targeted policy. Why is this > singled out as an exception? > > (And is there something else I'm supposed to do with an X server that > hangs and don't respond to any other signal?) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > No this is actually a bug. This is caused by the introduction of mcs policy . You are seeing a side effect of using the forth field. Your root account is running as root:system_r:unconfined_t:s0, While the X Server is running as tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 There is a constraint in policy that basically says the Ts0 can not kill the s0-s0:c0.c255. You are seeing this because you logged in as a normal user and su to root. If you login directly via the console to root you will probably run at s0-s0:c0.c255, and could kill the xserver. You can change the default login on your machine to the full range by executing semanage login -m -rs0-s0:c255 __default__ This will allow all users who become root to kill the X Server and any other process running in this range. You could also execute semanage login -a -rs0-s0:c255 USERNAME To just allow you the rights. Anyways this problem is fixed in FC6 and I hope to have a large back port of policy for FC5 within the next week to fix this problem on FC5. From dwalsh at redhat.com Tue Oct 17 21:14:37 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 17 Oct 2006 17:14:37 -0400 Subject: FC6 SELinux issues In-Reply-To: <200610081532.04747.gene@czarc.net> References: <200610041709.08994.gene@czarc.net> <200610041911.22792.gene@czarc.net> <452516DE.2060804@redhat.com> <200610081532.04747.gene@czarc.net> Message-ID: <453547BD.10000@redhat.com> Gene Czarcinski wrote: > On Thursday 05 October 2006 10:29, Daniel J Walsh wrote: > >> MLS Policy is a server only policy. IE We don not support X-Windows. >> So if you want to change to MLS you need to remove all X-Windows >> software and relabel. Then it should work, but you need to understand >> how an MLS environment works. >> > > OK, I have setup something I consider to be server oriented (no X). I get a > bunch of avc denied messages (permissive mode). > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209950 > > >> Strict policy is not heavily tested in Fedora. Most people run >> targeted. We will look at any problems that you have with it, though. >> > > Most of the problems in mls mode seem to be the same in strict mode. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209949 > > I assume that strict mode should be capable of running X ... true or false? > Yes it should be allowed to run X. From olivares14031 at yahoo.com Thu Oct 19 13:46:43 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 19 Oct 2006 06:46:43 -0700 (PDT) Subject: denied avc's for hald, hpiod and mplayer plugin Message-ID: <20061019134643.20970.qmail@web52602.mail.yahoo.com> SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts audit(1161244617.541:4): avc: denied { name_bind } for pid=2074 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket eth0: no IPv6 routers present audit(1161244622.801:5): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:6): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:7): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:8): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161244622.801:9): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161246948.355:10): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.355:11): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.391:12): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.391:13): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.403:14): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.403:15): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.415:16): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246948.415:17): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:18): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:19): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:20): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:21): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:22): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:23): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:24): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161246981.941:25): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.070:26): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.070:27): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:28): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:29): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:30): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:31): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:32): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247003.074:33): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:34): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:35): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:36): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:37): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:38): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:39): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:40): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process audit(1161247021.299:41): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process I have tried audit2allow but returns the following [olivares at localhost ~]$ grep avc /var/log/audit/audit.log | audit2allow -M local grep: /var/log/audit/audit.log: No such file or directory Generating type enforcment file: local.te /usr/bin/audit2allow: No AVC messages found. I have run yum update and it should have fixed the hald and hpiod but it has not. as for the mplayer plugin, I installed from source code, and did not want to disable selinux just to install it. I want to know how to enable it the hard way. Thanks, Antonio From gene at czarc.net Thu Oct 19 13:52:57 2006 From: gene at czarc.net (Gene Czarcinski) Date: Thu, 19 Oct 2006 09:52:57 -0400 Subject: roles Message-ID: <200610190952.57761.gene@czarc.net> I have been fooling around with RBAC and roles to see how it works and could be used. If I understand correctly, either ` 1. In order to add a new roles, you need to modify the source in the src.rpm and create a "new" policy: gop or "Gene'c Own Policy". or 2. I do not know the correct "magic dance" to perform to add a new role definition to an existing policy. Comment? Gene From dwalsh at redhat.com Thu Oct 19 14:09:17 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Oct 2006 10:09:17 -0400 Subject: roles In-Reply-To: <200610190952.57761.gene@czarc.net> References: <200610190952.57761.gene@czarc.net> Message-ID: <4537870D.6070107@redhat.com> Gene Czarcinski wrote: > I have been fooling around with RBAC and roles to see how it works and could > be used. > > If I understand correctly, either > ` > 1. In order to add a new roles, you need to modify the source in the src.rpm > and create a "new" policy: gop or "Gene'c Own Policy". > > or > > 2. I do not know the correct "magic dance" to perform to add a new role > definition to an existing policy. > > Comment? > > You should be able to add a new role through a loadable policy module and then use semanage to assign the role to SELinux Users. > Gene > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Oct 19 14:10:23 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Oct 2006 10:10:23 -0400 Subject: denied avc's for hald, hpiod and mplayer plugin In-Reply-To: <20061019134643.20970.qmail@web52602.mail.yahoo.com> References: <20061019134643.20970.qmail@web52602.mail.yahoo.com> Message-ID: <4537874F.8070802@redhat.com> Antonio Olivares wrote: > SELinux: initialized (dev autofs, type autofs), uses genfs_contexts > SELinux: initialized (dev autofs, type autofs), uses genfs_contexts > audit(1161244617.541:4): avc: denied { name_bind } for pid=2074 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > eth0: no IPv6 routers present > audit(1161244622.801:5): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:6): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:7): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:8): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:9): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161246948.355:10): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.355:11): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.391:12): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.391:13): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.403:14): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.403:15): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.415:16): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.415:17): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:18): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:19): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:20): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:21): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:22): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:23): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:24): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:25): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.070:26): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.070:27): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:28): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:29): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:30): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:31): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:32): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:33): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:34): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:35): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:36): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:37): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:38): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:39): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:40): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:41): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > I have tried audit2allow but returns the following > > [olivares at localhost ~]$ grep avc /var/log/audit/audit.log | audit2allow -M local > grep: /var/log/audit/audit.log: No such file or directory > Generating type enforcment file: local.te > /usr/bin/audit2allow: No AVC messages found. > > I have run yum update and it should have fixed the hald and hpiod but it has not. > > as for the mplayer plugin, I installed from source code, and did not want to disable selinux just to install it. I want to know how to enable it the hard way. > > Thanks, > > Antonio > chcon -t unconfined_execmem_t MPLAYERBINARY Where is the MPLAYERBINARY installed? > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Oct 19 14:11:24 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 19 Oct 2006 10:11:24 -0400 Subject: denied avc's for hald, hpiod and mplayer plugin In-Reply-To: <20061019134643.20970.qmail@web52602.mail.yahoo.com> References: <20061019134643.20970.qmail@web52602.mail.yahoo.com> Message-ID: <4537878C.2000603@redhat.com> Antonio Olivares wrote: > SELinux: initialized (dev autofs, type autofs), uses genfs_contexts > SELinux: initialized (dev autofs, type autofs), uses genfs_contexts > audit(1161244617.541:4): avc: denied { name_bind } for pid=2074 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > eth0: no IPv6 routers present > audit(1161244622.801:5): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:6): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:7): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:8): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161244622.801:9): avc: denied { search } for pid=2232 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161246948.355:10): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.355:11): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.391:12): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.391:13): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.403:14): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.403:15): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.415:16): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246948.415:17): avc: denied { execmem } for pid=5945 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:18): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:19): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:20): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:21): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:22): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:23): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:24): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161246981.941:25): avc: denied { execmem } for pid=5950 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.070:26): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.070:27): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:28): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:29): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:30): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:31): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:32): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247003.074:33): avc: denied { execmem } for pid=5953 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:34): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:35): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:36): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:37): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:38): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:39): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:40): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > audit(1161247021.299:41): avc: denied { execmem } for pid=5956 comm="mplayer" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process > > I have tried audit2allow but returns the following > > [olivares at localhost ~]$ grep avc /var/log/audit/audit.log | audit2allow -M local > grep: /var/log/audit/audit.log: No such file or directory > Generating type enforcment file: local.te > /usr/bin/audit2allow: No AVC messages found. > > I have run yum update and it should have fixed the hald and hpiod but it has not. > > as for the mplayer plugin, I installed from source code, and did not want to disable selinux just to install it. I want to know how to enable it the hard way. > > Thanks, > > Antonio > > Previous email was a mistake. Should be #chcon -t unconfined_execmem_exec_t MPLAYERBINARY # ls -lZ /usr/bin/mplayer -rwxr-xr-x root root system_u:object_r:unconfined_execmem_exec_t /usr/bin/mplayer > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at tycho.nsa.gov Thu Oct 19 15:04:29 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 19 Oct 2006 11:04:29 -0400 Subject: roles In-Reply-To: <4537870D.6070107@redhat.com> References: <200610190952.57761.gene@czarc.net> <4537870D.6070107@redhat.com> Message-ID: <1161270269.14632.165.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2006-10-19 at 10:09 -0400, Daniel J Walsh wrote: > Gene Czarcinski wrote: > > I have been fooling around with RBAC and roles to see how it works and could > > be used. > > > > If I understand correctly, either > > ` > > 1. In order to add a new roles, you need to modify the source in the src.rpm > > and create a "new" policy: gop or "Gene'c Own Policy". > > > > or > > > > 2. I do not know the correct "magic dance" to perform to add a new role > > definition to an existing policy. > > > > Comment? > > > > > You should be able to add a new role through a loadable policy module > and then use semanage > to assign the role to SELinux Users. It isn't quite that simple (at least not yet). Full integration of a role requires too pervasive of a change to work well from a loadable module. Role additions in the current refpolicy have all gone into userdomain in the policy sources. There is also the rolemap file. There is a role-infra branch that Chris is working on to improve infrastructure for adding roles. -- Stephen Smalley National Security Agency From olivares14031 at yahoo.com Thu Oct 19 21:33:06 2006 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 19 Oct 2006 14:33:06 -0700 (PDT) Subject: denied avc's for hald, hpiod and mplayer plugin In-Reply-To: <4537878C.2000603@redhat.com> Message-ID: <20061019213306.42279.qmail@web52606.mail.yahoo.com> --- Daniel J Walsh wrote: > Antonio Olivares wrote: > > SELinux: initialized (dev autofs, type autofs), > uses genfs_contexts > > SELinux: initialized (dev autofs, type autofs), > uses genfs_contexts > > audit(1161244617.541:4): avc: denied { name_bind > } for pid=2074 comm="hpiod" src=2208 > scontext=system_u:system_r:hplip_t:s0 > tcontext=system_u:object_r:port_t:s0 > tclass=tcp_socket > > eth0: no IPv6 routers present > > audit(1161244622.801:5): avc: denied { search } > for pid=2232 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1161244622.801:6): avc: denied { search } > for pid=2232 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1161244622.801:7): avc: denied { search } > for pid=2232 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1161244622.801:8): avc: denied { search } > for pid=2232 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1161244622.801:9): avc: denied { search } > for pid=2232 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 > tclass=dir > > audit(1161246948.355:10): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246948.355:11): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246948.391:12): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246948.391:13): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246948.403:14): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246948.403:15): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246948.415:16): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246948.415:17): avc: denied { execmem > } for pid=5945 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:18): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:19): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:20): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:21): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:22): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:23): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:24): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161246981.941:25): avc: denied { execmem > } for pid=5950 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.070:26): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.070:27): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.074:28): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.074:29): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.074:30): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.074:31): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.074:32): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247003.074:33): avc: denied { execmem > } for pid=5953 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:34): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:35): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:36): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:37): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:38): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:39): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:40): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > audit(1161247021.299:41): avc: denied { execmem > } for pid=5956 comm="mplayer" > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:system_r:unconfined_t:s0 > tclass=process > > > > I have tried audit2allow but returns the following > > > > > [olivares at localhost ~]$ grep avc > /var/log/audit/audit.log === message truncated === Thanks for helping. Now mplayer plugin works!! [root at localhost ~]# chcon -t unconfined_execmem_exec_t MPLAYERBINARY chcon: MPLAYERBINARY: No such file or directory [root at localhost ~]# ls -lZ /usr/bin/mplayer ls: /usr/bin/mplayer: No such file or directory [root at localhost ~]# which mplayer /usr/local/bin/mplayer [root at localhost ~]# ls -lZ /usr/local/bin/mplayer -rwxr-xr-x root root system_u:object_r:bin_t /usr/local/bin/mplayer [root at localhost ~]# chcon -t unconfined_execmem_exec_t /usr/local/bin/mplayer [root at localhost ~]# ls -lZ /usr/local/bin/mplayer -rwxr-xr-x root root system_u:object_r:unconfined_execmem_exec_t /usr/local/bin/mplayer However, hald still shows up in dmesg [olivares at localhost ~]$ dmesg Linux version 2.6.18-1.2798.fc6 (brewbuilder at hs20-bc2-4.build.redhat.com) (gcc version 4.1.1 20061011 (Red Hat 4.1.1-30)) #1 SMP Mon Oct 16 14:37:32 EDT 2006 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 000000001dfd0000 (usable) BIOS-e820: 000000001dfd0000 - 000000001dfdf000 (ACPI data) BIOS-e820: 000000001dfdf000 - 000000001e000000 (ACPI NVS) BIOS-e820: 00000000fec00000 - 00000000fec01000 (reserved) BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved) BIOS-e820: 00000000ff7c0000 - 0000000100000000 (reserved) 0MB HIGHMEM available. 479MB LOWMEM available. ....... SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts audit(1161274398.870:4): avc: denied { name_bind } for pid=2076 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket eth0: no IPv6 routers present audit(1161274403.915:5): avc: denied { search } for pid=2234 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161274403.915:6): avc: denied { search } for pid=2234 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161274403.915:7): avc: denied { search } for pid=2234 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161274403.915:8): avc: denied { search } for pid=2234 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1161274403.915:9): avc: denied { search } for pid=2234 comm="hald" name="irq" dev=proc ino=-268435212 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir how can I make it go away, or it is just a friendly feature that won't hurt the computer. Best Regards, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From zico at algohotellet.se Fri Oct 20 08:53:06 2006 From: zico at algohotellet.se (pi) Date: Fri, 20 Oct 2006 10:53:06 +0200 Subject: =?iso-8859-1?q?Avc=B4s_while_running_rkhunter?= Message-ID: <906f604407f61ee74f77acf2a243fd1f@algohotellet.se> Hashes seems OK when i turn selinux protection off, as soon as i turn selinux on while running rkhunter, they show up as BAD. So i figure they are okey, but rkhunter is denied access to something. Can someone explain what i ahev to do to make it right? I?m on fc5, and i think it?s fully updated if i havent missed out on any new repos. dries.repo fedora-extras.repo freshrpms.repo fedora-core.repo fedora-legacy.repo livna.repo fedora-development.repo fedora-updates.repo macromedia.repo fedora-extras-development.repo fedora-updates-testing.repo nuu.repo -------------------------------------------------------- SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted -------------------------------------------------------- SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: targeted -------------------------------------------------------- type=AVC msg=audit(1161332509.183:234): avc: denied { read write } for pid=28899 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.183:234): avc: denied { read write } for pid=28899 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.183:234): avc: denied { write } for pid=28899 comm="prelink" name="prelink.tst" dev=dm-0 ino=1277164 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1161332509.183:234): avc: denied { read write } for pid=28899 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1161332509.183:234): arch=40000003 syscall=11 success=yes exit=0 a0=8fd6ec8 a1=8fd6ae0 a2=8f4b3b8 a3=8fd6d38 items=0 ppid=28898 pid=28899 auid=523 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=user_u:system_r:prelink_t:s0 key=(null) type=AVC_PATH msg=audit(1161332509.183:234): path="/dev/pts/0" type=AVC_PATH msg=audit(1161332509.183:234): path="/var/rkhunter/tmp/prelink.tst" type=AVC_PATH msg=audit(1161332509.183:234): path="/dev/pts/0" type=AVC msg=audit(1161332509.859:235): avc: denied { read write } for pid=28959 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.859:235): avc: denied { read write } for pid=28959 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=AVC msg=audit(1161332509.859:235): avc: denied { write } for pid=28959 comm="prelink" name="prelink.tst" dev=dm-0 ino=1277164 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1161332509.859:235): avc: denied { read write } for pid=28959 comm="prelink" name="0" dev=devpts ino=2 scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1161332509.859:235): arch=40000003 syscall=11 success=yes exit=0 a0=8fd66f0 a1=8fd6ae0 a2=8f4b3b8 a3=8fd6ea0 items=0 ppid=28958 pid=28959 auid=523 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink" subj=user_u:system_r:prelink_t:s0 key=(null) type=AVC_PATH msg=audit(1161332509.859:235): path="/dev/pts/0" type=AVC_PATH msg=audit(1161332509.859:235): path="/var/rkhunter/tmp/prelink.tst" type=AVC_PATH msg=audit(1161332509.859:235): path="/dev/pts/0" Regards /pi From sds at tycho.nsa.gov Fri Oct 20 13:02:18 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 20 Oct 2006 09:02:18 -0400 Subject: =?iso-8859-1?q?Avc=B4s?= while running rkhunter In-Reply-To: <906f604407f61ee74f77acf2a243fd1f@algohotellet.se> References: <906f604407f61ee74f77acf2a243fd1f@algohotellet.se> Message-ID: <1161349338.29755.43.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2006-10-20 at 10:53 +0200, pi wrote: > Hashes seems OK when i turn selinux protection off, as soon as i turn > selinux on while running rkhunter, they show up as BAD. > So i figure they are okey, but rkhunter is denied access to something. > Can someone explain what i ahev to do to make it right? > I?m on fc5, and i think it?s fully updated if i havent missed out on > any new repos. Tip: Use /sbin/ausearch -i with other qualifiers as appropriate to filter and interpret the audit logs. Example: /sbin/ausearch -i -m avc,selinux_err to see all AVC and SELinux error messages in an interpreted form. > type=AVC msg=audit(1161332509.183:234): avc: denied { read write } > for pid=28899 comm="prelink" name="0" dev=devpts ino=2 > scontext=user_u:system_r:prelink_t:s0 > tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file So rkhunter is running prelink, and prelink is likely inheriting a descriptor to the user's pty, but isn't allowed to access it. No big deal, unless prelink truly needs to write to the user's pty for some reason (not likely in this case). > type=AVC msg=audit(1161332509.183:234): avc: denied { write } for > pid=28899 comm="prelink" name="prelink.tst" dev=dm-0 ino=1277164 > scontext=user_u:system_r:prelink_t:s0 tcontext=user_u:object_r:var_t:s0 > tclass=file > type=AVC_PATH msg=audit(1161332509.183:234): > path="/var/rkhunter/tmp/prelink.tst" This one is likely the real culprit - prelink is trying to write to a file named "prelink.tst", and isn't allowed to access it. From the AVC_PATH record, we see that the file's full path is /var/rkhunter/tmp/prelink.tst. Since rkhunter has no policy itself, /var/rkhunter just defaults to the type of the parent directory, var_t, and prelink has no business writing to generic files under /var. You could use audit2allow just to allow it, but a better solution would be to define a more specific type for /var/rkhunter, and then allow prelink to write to files with that type. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Oct 20 21:15:48 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 20 Oct 2006 17:15:48 -0400 Subject: denied avc's for hald, hpiod and mplayer plugin In-Reply-To: <20061019213306.42279.qmail@web52606.mail.yahoo.com> References: <20061019213306.42279.qmail@web52606.mail.yahoo.com> Message-ID: <45393C84.2080306@redhat.com> Antonio Olivares wrote: > --- Daniel J Walsh wrote: > > >> Antonio Olivares wrote: >> >>> SELinux: initialized (dev autofs, type autofs), >>> >> uses genfs_contexts >> >>> SELinux: initialized (dev autofs, type autofs), >>> >> uses genfs_contexts >> >>> audit(1161244617.541:4): avc: denied { name_bind >>> >> } for pid=2074 comm="hpiod" src=2208 >> scontext=system_u:system_r:hplip_t:s0 >> tcontext=system_u:object_r:port_t:s0 >> tclass=tcp_socket >> >>> eth0: no IPv6 routers present >>> audit(1161244622.801:5): avc: denied { search } >>> >> for pid=2232 comm="hald" name="irq" dev=proc >> ino=-268435212 scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:sysctl_irq_t:s0 >> tclass=dir >> >>> audit(1161244622.801:6): avc: denied { search } >>> >> for pid=2232 comm="hald" name="irq" dev=proc >> ino=-268435212 scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:sysctl_irq_t:s0 >> tclass=dir >> >>> audit(1161244622.801:7): avc: denied { search } >>> >> for pid=2232 comm="hald" name="irq" dev=proc >> ino=-268435212 scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:sysctl_irq_t:s0 >> tclass=dir >> >>> audit(1161244622.801:8): avc: denied { search } >>> >> for pid=2232 comm="hald" name="irq" dev=proc >> ino=-268435212 scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:sysctl_irq_t:s0 >> tclass=dir >> >>> audit(1161244622.801:9): avc: denied { search } >>> >> for pid=2232 comm="hald" name="irq" dev=proc >> ino=-268435212 scontext=system_u:system_r:hald_t:s0 >> tcontext=system_u:object_r:sysctl_irq_t:s0 >> tclass=dir >> >>> audit(1161246948.355:10): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246948.355:11): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246948.391:12): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246948.391:13): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246948.403:14): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246948.403:15): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246948.415:16): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246948.415:17): avc: denied { execmem >>> >> } for pid=5945 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:18): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:19): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:20): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:21): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:22): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:23): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:24): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161246981.941:25): avc: denied { execmem >>> >> } for pid=5950 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.070:26): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.070:27): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.074:28): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.074:29): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.074:30): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.074:31): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.074:32): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247003.074:33): avc: denied { execmem >>> >> } for pid=5953 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:34): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:35): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:36): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:37): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:38): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:39): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:40): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> audit(1161247021.299:41): avc: denied { execmem >>> >> } for pid=5956 comm="mplayer" >> scontext=user_u:system_r:unconfined_t:s0 >> tcontext=user_u:system_r:unconfined_t:s0 >> tclass=process >> >>> I have tried audit2allow but returns the following >>> >>> [olivares at localhost ~]$ grep avc >>> >> /var/log/audit/audit.log >> > === message truncated === > > Thanks for helping. Now mplayer plugin works!! > > [root at localhost ~]# chcon -t unconfined_execmem_exec_t > MPLAYERBINARY > chcon: MPLAYERBINARY: No such file or directory > [root at localhost ~]# ls -lZ /usr/bin/mplayer > ls: /usr/bin/mplayer: No such file or directory > [root at localhost ~]# which mplayer > /usr/local/bin/mplayer > [root at localhost ~]# ls -lZ /usr/local/bin/mplayer > -rwxr-xr-x root root system_u:object_r:bin_t > /usr/local/bin/mplayer > [root at localhost ~]# chcon -t unconfined_execmem_exec_t > /usr/local/bin/mplayer > [root at localhost ~]# ls -lZ /usr/local/bin/mplayer > -rwxr-xr-x root root > system_u:object_r:unconfined_execmem_exec_t > /usr/local/bin/mplayer > > However, hald still shows up in dmesg > > [olivares at localhost ~]$ dmesg > Linux version 2.6.18-1.2798.fc6 > (brewbuilder at hs20-bc2-4.build.redhat.com) (gcc version > 4.1.1 20061011 (Red Hat 4.1.1-30)) #1 SMP Mon Oct 16 > 14:37:32 EDT 2006 > BIOS-provided physical RAM map: > BIOS-e820: 0000000000000000 - 000000000009fc00 > (usable) > BIOS-e820: 000000000009fc00 - 00000000000a0000 > (reserved) > BIOS-e820: 00000000000e0000 - 0000000000100000 > (reserved) > BIOS-e820: 0000000000100000 - 000000001dfd0000 > (usable) > BIOS-e820: 000000001dfd0000 - 000000001dfdf000 (ACPI > data) > BIOS-e820: 000000001dfdf000 - 000000001e000000 (ACPI > NVS) > BIOS-e820: 00000000fec00000 - 00000000fec01000 > (reserved) > BIOS-e820: 00000000fee00000 - 00000000fee01000 > (reserved) > BIOS-e820: 00000000ff7c0000 - 0000000100000000 > (reserved) > 0MB HIGHMEM available. > 479MB LOWMEM available. > ....... > > SELinux: initialized (dev autofs, type autofs), uses > genfs_contexts > SELinux: initialized (dev autofs, type autofs), uses > genfs_contexts > audit(1161274398.870:4): avc: denied { name_bind } > for pid=2076 comm="hpiod" src=2208 > scontext=system_u:system_r:hplip_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > eth0: no IPv6 routers present > audit(1161274403.915:5): avc: denied { search } for > pid=2234 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161274403.915:6): avc: denied { search } for > pid=2234 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161274403.915:7): avc: denied { search } for > pid=2234 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161274403.915:8): avc: denied { search } for > pid=2234 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > audit(1161274403.915:9): avc: denied { search } for > pid=2234 comm="hald" name="irq" dev=proc > ino=-268435212 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir > > how can I make it go away, or it is just a friendly > feature that won't hurt the computer. > > You need to update policy if this is FC6. If it is Fc5, I am preparing a major policy update. > Best Regards, > > Antonio > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > From ynakam at gwu.edu Sat Oct 21 09:02:02 2006 From: ynakam at gwu.edu (Yuichi Nakamura) Date: Sat, 21 Oct 2006 18:02:02 +0900 Subject: semodule -b does not work in FC5 Message-ID: I am editing policy source for Fedora Core 5 to study refpolicy. I did yum update today, and found semodule -b does not work. Last week, it was working.. Version for related command is below. selinux-policy-2.3.7-2.fc5 checkpolicy-1.30.3-1.fc5 libsepol-1.12.28-1.fc5 How to reproduce problem is following: 1) I obtained selinux-policy-2.3.7-2.fc5.src.rpm from fedora mirror site. 2) installed src.rpm 3) Edit following 2 lines in selinux-policy.spec %define BUILD_STRICT 0 %define BUILD_MLS 0 4) rpmbuild -bi selinux-policy.spec 5) cd BUILD/serefpolicy-2.3.7/ 6) Edit build.conf, like below. TYPE=targeted-mcs NAME=targeted DISTRO=redhat DIRECT_INITRC=y MONOLITHIC=n 7) make install-src 8) cd /etc/selinux/targeted/src/policy 9) make load, but fails. Loading configured modules. /usr/sbin/semodule -s targeted -b /usr/share/selinux/targeted/base.pp -i /usr/share/selinux/targeted/amavis.pp -i /usr/share/selinux/targeted/clamav.pp -i /usr/share/selinux/targeted/dcc.pp -i /usr/share/selinux/targeted/pyzor.pp -i /usr/share/selinux/targeted/razor.pp libsepol.mls_read_range_helper: truncated range libsepol.sepol_module_package_read: invalid module in module package (at section 0) libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/base.pp. /usr/sbin/semodule: Failed! Why does it fail? Yuichi Nakamura From norm at workingtools.ca Sun Oct 22 00:59:15 2006 From: norm at workingtools.ca (norm) Date: Sat, 21 Oct 2006 17:59:15 -0700 Subject: Selinux Audit Question Message-ID: <20061021175915.07d4eeb9@david.hill.bnb> What does this message mean, should I edit or modify some of my settings somewhere? -------------------- Selinux Audit Begin ------------------------ *** Denials *** system_u system_u (dir): 10 times system_u system_u (file): 7 times From ynakam at hitachisoft.jp Mon Oct 23 08:14:48 2006 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Mon, 23 Oct 2006 17:14:48 +0900 Subject: semodule -b does not work in FC5 In-Reply-To: References: Message-ID: <20061023171448.8a09976b.ynakam@hitachisoft.jp> On Sat, 21 Oct 2006 18:02:02 +0900 Yuichi Nakamura wrote: > I am editing policy source for Fedora Core 5 to study refpolicy. > I did yum update today, and found semodule -b does not work. > Last week, it was working.. > Version for related command is below. > selinux-policy-2.3.7-2.fc5 > checkpolicy-1.30.3-1.fc5 > libsepol-1.12.28-1.fc5 I have downgraded to libsepol-1.12.17-1.fc5 and semodule -b worked. It seems that libsepol-1.12.28 contains a bug. Yuichi Nakamura From sds at tycho.nsa.gov Mon Oct 23 13:28:55 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 23 Oct 2006 09:28:55 -0400 Subject: semodule -b does not work in FC5 In-Reply-To: References: Message-ID: <1161610135.3316.55.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2006-10-21 at 18:02 +0900, Yuichi Nakamura wrote: > I am editing policy source for Fedora Core 5 to study refpolicy. > > I did yum update today, and found semodule -b does not work. > Last week, it was working.. > Version for related command is below. > selinux-policy-2.3.7-2.fc5 > checkpolicy-1.30.3-1.fc5 > libsepol-1.12.28-1.fc5 > > > How to reproduce problem is following: > > 1) I obtained selinux-policy-2.3.7-2.fc5.src.rpm from fedora mirror site. > 2) installed src.rpm > 3) Edit following 2 lines in selinux-policy.spec > %define BUILD_STRICT 0 > %define BUILD_MLS 0 > 4) rpmbuild -bi selinux-policy.spec > 5) cd BUILD/serefpolicy-2.3.7/ > 6) Edit build.conf, like below. > TYPE=targeted-mcs > NAME=targeted > DISTRO=redhat > DIRECT_INITRC=y > MONOLITHIC=n > 7) make install-src > 8) cd /etc/selinux/targeted/src/policy > 9) make load, but fails. > > Loading configured modules. > /usr/sbin/semodule -s targeted -b /usr/share/selinux/targeted/base.pp -i /usr/share/selinux/targeted/amavis.pp -i /usr/share/selinux/targeted/clamav.pp -i /usr/share/selinux/targeted/dcc.pp -i /usr/share/selinux/targeted/pyzor.pp -i /usr/share/selinux/targeted/razor.pp > libsepol.mls_read_range_helper: truncated range > libsepol.sepol_module_package_read: invalid module in module package (at section 0) > libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/base.pp. > /usr/sbin/semodule: Failed! > > Why does it fail? It shouldn't fail, but try updating to checkpolicy 1.32 and rebuilding that policy (you have a newer libsepol with an older checkpolicy, which should work, but seems to have run into a bug). By the way, you don't have to edit the spec file - you can just --define "BUILD_STRICT 0" --define "BUILD_MLS 0" on the rpmbuild command line. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Oct 23 16:58:44 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Oct 2006 12:58:44 -0400 Subject: Selinux Audit Question In-Reply-To: <20061021175915.07d4eeb9@david.hill.bnb> References: <20061021175915.07d4eeb9@david.hill.bnb> Message-ID: <453CF4C4.5070304@redhat.com> norm wrote: > What does this message mean, should I edit or modify some of my > settings somewhere? > -------------------- Selinux Audit Begin > ------------------------ > > *** Denials *** > system_u system_u (dir): 10 times > system_u system_u (file): 7 times > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Means that you have some avc messages in your log files. From dnedrow at usa.net Tue Oct 24 18:17:23 2006 From: dnedrow at usa.net (David Nedrow) Date: Tue, 24 Oct 2006 14:17:23 -0400 Subject: FC[5|6] strict policy and root Message-ID: <6CBEF32F-3801-45A9-BE0E-DA74E0888736@usa.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone successfully switched from targeted to strict policies under either FC5 or FC6? Under FC6, I switched policies and relabeled on a boot. I also booted into permissive mode. From there, I did an audit2allow to generate a list of items I would need to add to my running policy. After creating the module and loading it, all of the AVC messages disappear even after a reboot. So, to my way of thinking, everything should be working. However, if I enable enforcement root can log in but not do anything beyond that. Only a reboot with enforcing set to permissive at the grub prompt gets roots login working again. Even after that, there are no new AVC messages. Does anyone have an idea as to what I'm missing? Prior to FC5, I had no problems with the strict policy. - - -David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFPlizF5XSfHP90EcRAoh9AJwN7Nl2WI8oKZ03p3oMUgJ+h+NRiQCeMHsQ qErT6X0tJbB7nSknNE4Jm9c= =GXr6 -----END PGP SIGNATURE----- From sds at tycho.nsa.gov Tue Oct 24 18:42:36 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 24 Oct 2006 14:42:36 -0400 Subject: FC[5|6] strict policy and root In-Reply-To: <6CBEF32F-3801-45A9-BE0E-DA74E0888736@usa.net> References: <6CBEF32F-3801-45A9-BE0E-DA74E0888736@usa.net> Message-ID: <1161715356.3987.165.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2006-10-24 at 14:17 -0400, David Nedrow wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Has anyone successfully switched from targeted to strict policies > under either FC5 or FC6? > > Under FC6, I switched policies and relabeled on a boot. I also booted > into permissive mode. From there, I did an audit2allow to generate a > list of items I would need to add to my running policy. > > After creating the module and loading it, all of the AVC messages > disappear even after a reboot. So, to my way of thinking, everything > should be working. However, if I enable enforcement root can log in > but not do anything beyond that. Only a reboot with enforcing set to > permissive at the grub prompt gets roots login working again. Even > after that, there are no new AVC messages. > > Does anyone have an idea as to what I'm missing? > > Prior to FC5, I had no problems with the strict policy. A few observations: - root is not necessarily all powerful under SELinux; it depends on what role/domain he has. What does id show? root often has to first newrole -r sysadm_r in order to assume administrative privileges under strict policy. To enable other users to assume admin privileges, you will need to map them to staff_u using semanage so that they can newrole to sysadm_r and then run su or sudo as appropriate. - Some AVC denials may not be audited due to dontaudit rules in the policy. These rules are to avoid flooding the audit logs with noise from extraneous access attempts by libraries and applications that are not truly required for operation. In the past (before FC5), one could re-enable all such auditing by rebuilding the policy sources with 'make clean enableaudit load'. With the introduction of modular policy in FC5, you no longer have the full policy sources sitting around (unless you grab the .src.rpm), so the policy package instead prebuilds an enableaudit.pp file under /usr/share/selinux/(targeted|strict) that you can install via semodule -b to re-enable auditing at least in the base module. But I don't believe this addresses non-base modules, which is an issue in a highly modularized policy like strict. - FC5 strict policy was broken for other reasons (broken optionals-in-base support in that libsepol and checkpolicy). That may get sorted if Dan updates FC5 policy and rebuilds it with the latest libsepol and checkpolicy. -- Stephen Smalley National Security Agency From dnedrow at usa.net Tue Oct 24 20:59:47 2006 From: dnedrow at usa.net (David Nedrow) Date: Tue, 24 Oct 2006 16:59:47 -0400 Subject: {Solved} FC[5|6] strict policy and root In-Reply-To: <1161715356.3987.165.camel@moss-spartans.epoch.ncsc.mil> References: <6CBEF32F-3801-45A9-BE0E-DA74E0888736@usa.net> <1161715356.3987.165.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <736167EC-27A5-40B2-914E-DA2BCE71A91F@usa.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Oct 24, 2006, at 2:42 PM, Stephen Smalley wrote: > On Tue, 2006-10-24 at 14:17 -0400, David Nedrow wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Has anyone successfully switched from targeted to strict policies >> under either FC5 or FC6? >> >> Does anyone have an idea as to what I'm missing? >> >> Prior to FC5, I had no problems with the strict policy. >> > > A few observations: > - root is not necessarily all powerful under SELinux; it depends on > what > role/domain he has. What does id show? root often has to first > newrole > -r sysadm_r in order to assume administrative privileges under strict > policy. > Aha. That was it. > To enable other users to assume admin privileges, you will need > to map them to staff_u using semanage so that they can newrole to > sysadm_r and then run su or sudo as appropriate. > Thanks for the info. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFPn7EF5XSfHP90EcRAq6nAJ9DjQJletGP4QTgFZ0TPfXVD+J9SQCePJs0 OxWPp/B+YI8R0+/NFZNlpzE= =I2bz -----END PGP SIGNATURE----- From dsugar at tresys.com Wed Oct 25 11:25:48 2006 From: dsugar at tresys.com (Dave Sugar) Date: Wed, 25 Oct 2006 07:25:48 -0400 Subject: ANN: SELinux Policy IDE (SLIDE) Message-ID: <1161775548.3249.1.camel@localhost.localdomain> The third release of SELinux Policy IDE (SLIDE) from Tresys is now available for download from the Tresys Open Source website at http://oss.tresys.com. SLIDE is an Eclipse plug-in that integrates with the SELinux Reference Policy to provide a development environment for building SELinux policy. New features in this release: * Ability to test policy under development on a remote machine from within SLIDE * Remote audit monitoring using SLIDE's Audit view, which displays audit messages from remote machine Bugs fixed in this release: * Modifications to the new project wizard to make it clearer * Rewrite of policy explorer to fix some problems it was having * Modifications to search to include ability to search for type_transitions * Changes to the new project wizard to make it clearer what the various options are. Dave Sugar dsugar at tresys.com From ruedarod at cse.psu.edu Wed Oct 25 14:12:08 2006 From: ruedarod at cse.psu.edu (Sandra Julieta Rueda Rodriguez) Date: Wed, 25 Oct 2006 10:12:08 -0400 (EDT) Subject: MLS extension and non-base modules Message-ID: <49293.130.203.65.72.1161785528.squirrel@130.203.65.72> Hello, Since the recommendation is to work with modules. I was wondering if this is still true for the mls extension: "Security level statements are valid only in monolithic policies and base loadable modules. They are not valid in conditional statemens and non-base loadable modules". (Security level statements refers to sensitivity definition). So, in the case of an mls extension I have to work with a monolithic policy, is that right? Thanks, Sandra From sds at tycho.nsa.gov Wed Oct 25 14:54:06 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 25 Oct 2006 10:54:06 -0400 Subject: MLS extension and non-base modules In-Reply-To: <49293.130.203.65.72.1161785528.squirrel@130.203.65.72> References: <49293.130.203.65.72.1161785528.squirrel@130.203.65.72> Message-ID: <1161788046.3987.316.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2006-10-25 at 10:12 -0400, Sandra Julieta Rueda Rodriguez wrote: > Hello, > > Since the recommendation is to work with modules. I was wondering if this > is still true for the mls extension: > > "Security level statements are valid only in monolithic policies and base > loadable modules. They are not valid in conditional statemens and non-base > loadable modules". > (Security level statements refers to sensitivity definition). > > So, in the case of an mls extension I have to work with a monolithic > policy, is that right? Not necessarily; you can still use modular policy, but you have to replace the base module with one that contains your new definitions. -- Stephen Smalley National Security Agency From gajownik at gmail.com Fri Oct 27 22:39:30 2006 From: gajownik at gmail.com (Dawid Gajownik) Date: Sat, 28 Oct 2006 00:39:30 +0200 Subject: How should I run genfscon in my module? Message-ID: <45428AA2.9080106@gmail.com> Hi! I wanted to help resolving bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211767 During some investigation I found that after mounting ntfs partition files have context set to unlabeled_t. I downloaded selinux-policy.srpm and found in policy/modules/kernel/filesystem.te these lines: # # dosfs_t is the type for fat and vfat # filesystems and their files. # type dosfs_t; fs_noxattr_type(dosfs_t) allow dosfs_t fs_t:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) I thought "Great, I need similar entry in my module!". I prepared this file: [root at X ~]# cat ntfs3g.te module ntfs3g 1.0; require { class chr_file { getattr read write }; class file execute_no_trans; type device_t; type dosfs_t; type mount_exec_t; type mount_t; role system_r; }; genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) allow mount_t device_t:chr_file { getattr read write }; allow mount_t mount_exec_t:file execute_no_trans; [root at X ~]# As you can guess it does not compile ;-) [root at X ~]# checkmodule -M -m -o ntfs3g.mod ntfs3g.te checkmodule: loading policy configuration from ntfs3g.te (unknown source)::ERROR 'syntax error' at token 'genfscon' on line 13: genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) checkmodule: error(s) encountered while parsing configuration [root at X ~]# What I have done wrong? (FC6, selinux-policy-targeted-2.4.1-3.fc6) Regards, Dawid -- ^_* From luya_tfz at thefinalzone.com Sat Oct 28 06:02:22 2006 From: luya_tfz at thefinalzone.com (Luya Tshimbalanga) Date: Sat, 28 Oct 2006 14:02:22 +0800 Subject: Frontend for SELinux Message-ID: Reading OSNews, I stumbled on this page http://seedit.sourceforge.net/ A frontend for SELinux developed by Hitachi Software (yes, Hitachi division) employee under GPL license. That application is well suited to be part of Core which will simplify administrators' task. Can someone talk with these Hitachi developers to bring it on Core or Extras repository? Luya Tshimbalanga -- Fedora Project Contributor http://www.fedoraproject.org/wiki/LuyaTshimbalanga http://www.fedoranews.org From rhally at mindspring.com Sat Oct 28 06:17:40 2006 From: rhally at mindspring.com (Richard Hally) Date: Sat, 28 Oct 2006 02:17:40 -0400 Subject: Frontend for SELinux In-Reply-To: References: Message-ID: <4542F604.1000508@mindspring.com> Luya Tshimbalanga wrote: > Reading OSNews, I stumbled on this page http://seedit.sourceforge.net/ > A frontend for SELinux developed by Hitachi Software (yes, Hitachi > division) employee under GPL license. > That application is well suited to be part of Core which will > simplify administrators' task. > Can someone talk with these Hitachi developers to bring it on Core or > Extras repository? > > Luya Tshimbalanga More information is available in the archives of this list. Look for the thread with the subject > [ANN] SELinux Policy Editor 2.0(seedit 2.0) From luya_tfz at thefinalzone.com Sat Oct 28 06:40:12 2006 From: luya_tfz at thefinalzone.com (Luya Tshimbalanga) Date: Sat, 28 Oct 2006 14:40:12 +0800 Subject: Frontend for SELinux Message-ID: > More information is available in the archives of this list. Look for the > thread with the subject > [ANN] SELinux Policy Editor 2.0(seedit 2.0) Thank you very much. Luya Tshimbalanga -- Fedora Project Contributor http://www.fedoraproject.org/wiki/LuyaTshimbalanga http://www.fedoranews.org From selinux at gmail.com Sat Oct 28 17:35:44 2006 From: selinux at gmail.com (Tom London) Date: Sat, 28 Oct 2006 10:35:44 -0700 Subject: Today's update: install errors Message-ID: <4c4ba1530610281035o337d67a9r63d8d324dacfba85@mail.gmail.com> Running latest rawhide, targeted/enforcing. Got this with today's updates: Updating : selinux-policy-targeted ####################### [ 6/12] libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. semodule: Failed! Cleanup : selinux-policy ####################### [ 7/12] tom -- Tom London From jbrindle at tresys.com Sun Oct 29 16:16:33 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Sun, 29 Oct 2006 11:16:33 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <45428AA2.9080106@gmail.com> References: <45428AA2.9080106@gmail.com> Message-ID: <4544D3E1.8000102@tresys.com> Dawid Gajownik wrote: > Hi! > I wanted to help resolving bug > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211767 > > During some investigation I found that after mounting ntfs partition > files have context set to unlabeled_t. I downloaded > selinux-policy.srpm and found in policy/modules/kernel/filesystem.te > these lines: > > # > # dosfs_t is the type for fat and vfat > # filesystems and their files. > # > type dosfs_t; > fs_noxattr_type(dosfs_t) > allow dosfs_t fs_t:filesystem associate; > genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) > genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) > genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) > genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) > > I thought "Great, I need similar entry in my module!". I prepared this > file: > [root at X ~]# cat ntfs3g.te > module ntfs3g 1.0; > > require { > class chr_file { getattr read write }; > class file execute_no_trans; > type device_t; > type dosfs_t; > type mount_exec_t; > type mount_t; > role system_r; > }; > > genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) > allow mount_t device_t:chr_file { getattr read write }; > allow mount_t mount_exec_t:file execute_no_trans; > [root at X ~]# > > As you can guess it does not compile ;-) > > [root at X ~]# checkmodule -M -m -o ntfs3g.mod ntfs3g.te > checkmodule: loading policy configuration from ntfs3g.te > (unknown source)::ERROR 'syntax error' at token 'genfscon' on line 13: > > genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) > checkmodule: error(s) encountered while parsing configuration > [root at X ~]# > > What I have done wrong? > > (FC6, selinux-policy-targeted-2.4.1-3.fc6) Modules do not allow genfscon statements, the grammar of modules is a subset of the base policy grammar. unfortunately you will have to add this entry to the base policy. Refpolicy's concept of module may be a little misleading, it doesn't convert to each one being able to compile as a policy module, there are several modules that are required to be part of base. However, is this filesystem slated for upstream kernel? If so it should be added to refpolicy anyway, it would get the nfs_t type though, instead of dosfs_t From gajownik at gmail.com Sun Oct 29 16:37:57 2006 From: gajownik at gmail.com (Dawid Gajownik) Date: Sun, 29 Oct 2006 17:37:57 +0100 Subject: How should I run genfscon in my module? In-Reply-To: <4544D3E1.8000102@tresys.com> References: <45428AA2.9080106@gmail.com> <4544D3E1.8000102@tresys.com> Message-ID: <4544D8E5.1070506@gmail.com> Dnia 10/29/2006 05:16 PM, U?ytkownik Joshua Brindle napisa?: > Modules do not allow genfscon statements, the grammar of modules is a > subset of the base policy grammar. Thanks for the clarification. I'll need to modify policy-selinux SRPM then. > However, is this filesystem slated for upstream kernel? From what I read on upstream project page?, it will be merged into ntfsprogs package. I don't know what will happen then with ntfs module included in kernel. > If so it should be added to refpolicy anyway, it would get the nfs_t > type though, instead of dosfs_t nfs_t? Well, in current policy ntfs filesystem type is marked as dosfs_t type so I don't see a reason to mark ntfs-3g in a different way. ntfs-3g is "just" a ntfs with write access? ;-) Regards, Dawid ? http://www.linux-ntfs.org/ ? http://wiki.linux-ntfs.org/doku.php?id=ntfs-3g -- ^_* From gajownik at gmail.com Sun Oct 29 17:18:37 2006 From: gajownik at gmail.com (Dawid Gajownik) Date: Sun, 29 Oct 2006 18:18:37 +0100 Subject: How should I run genfscon in my module? In-Reply-To: <4544D8E5.1070506@gmail.com> References: <45428AA2.9080106@gmail.com> <4544D3E1.8000102@tresys.com> <4544D8E5.1070506@gmail.com> Message-ID: <4544E26D.3060902@gmail.com> Dnia 10/29/2006 05:37 PM, U?ytkownik Dawid Gajownik napisa?: >> Modules do not allow genfscon statements, the grammar of modules is a >> subset of the base policy grammar. > > Thanks for the clarification. I'll need to modify policy-selinux SRPM then. Ugh, I must have found some weird bug or something. Applying attached patch makes compilation fail with this message: Compiling targeted base module /usr/bin/checkmodule -M base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/services/xserver.te:740:ERROR 'syntax error' at token 'ntfs-3g' on line 1002121: genfscon ntfs / system_u:object_r:dosfs_t:s0 genfscon ntfs-3g / system_u:object_r:dosfs_t:s0 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.45484 (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.45484 (%install) [rpm-build at X selinux-policy-2.4.1]$ I've been modifying selinux-policy-2.4.1-3.fc6.src.rpm package. It looks like checkmodule does not like dash, because after removing this character from the patch (that means s/ntfs-3g/ntfs3g/) compilation finishes cleanly. What now? I would like to fix bug 211767 ASAP, because users start to turn off SELinux :( Regards, Dawid -- ^_* -------------- next part -------------- A non-text attachment was scrubbed... Name: ntfs-3g.patch Type: text/x-patch Size: 681 bytes Desc: not available URL: From jbrindle at tresys.com Sun Oct 29 17:33:45 2006 From: jbrindle at tresys.com (Joshua Brindle) Date: Sun, 29 Oct 2006 12:33:45 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <4544E26D.3060902@gmail.com> Message-ID: <6FE441CD9F0C0C479F2D88F959B015885146CC@exchange.columbia.tresys.com> > From: Dawid Gajownik [mailto:gajownik at gmail.com] > > Dnia 10/29/2006 05:37 PM, U?ytkownik Dawid Gajownik napisa?: > > RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.45484 (%install) > [rpm-build at X selinux-policy-2.4.1]$ > > I've been modifying selinux-policy-2.4.1-3.fc6.src.rpm > package. It looks > like checkmodule does not like dash, because after removing this > character from the patch (that means s/ntfs-3g/ntfs3g/) compilation > finishes cleanly. > > What now? I would like to fix bug 211767 ASAP, because users start to > turn off SELinux :( > Right, that's a hard fix I think, dashes aren't allowed in identifiers and they are treated specially for use in MLS ranges.. Why are they putting a dash in a filesystem name anyway? From gajownik at gmail.com Sun Oct 29 20:06:26 2006 From: gajownik at gmail.com (Dawid Gajownik) Date: Sun, 29 Oct 2006 21:06:26 +0100 Subject: How should I run genfscon in my module? In-Reply-To: <6FE441CD9F0C0C479F2D88F959B015885146CC@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B015885146CC@exchange.columbia.tresys.com> Message-ID: <454509C2.7080008@gmail.com> Dnia 10/29/2006 06:33 PM, U?ytkownik Joshua Brindle napisa?: > Right, that's a hard fix I think, dashes aren't allowed in > identifiers and they are treated specially for use in MLS ranges.. Oh, that's really bad :( Without that line files on ntfs-3g filesystem have unlabeled_t type and I would need to give to many privileges to mount_t domain. So there is no hope to fix it in the clean way? > Why are they putting a dash in a filesystem name anyway? I don't know -- I'm not the creator of ntfs-3g ;-) -- ^_* From ynakam at hitachisoft.jp Sun Oct 29 23:20:34 2006 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Mon, 30 Oct 2006 08:20:34 +0900 Subject: SELinux Policy Editor for FC6 (Re: Frontend for SELinux In-Reply-To: References: Message-ID: <20061030082034.a6fd132f.ynakam@hitachisoft.jp> On Sat, 28 Oct 2006 14:02:22 +0800 "Luya Tshimbalanga" wrote: > Reading OSNews, I stumbled on this page http://seedit.sourceforge.net/ > A frontend for SELinux developed by Hitachi Software (yes, Hitachi > division) employee under GPL license. > That application is well suited to be part of Core which will > simplify administrators' task. > Can someone talk with these Hitachi developers to bring it on Core or > Extras repository? Hi, I am developer of the tool. I sent another e-mail to the sender, but I would like to announce that SELinux Policy Editor 2.1 is being developed for Fedora Core6. We have version 2.1.0-b3, it works on Fedora Core6. You can try it from http://seedit.sourceforge.net/. Yuichi Nakamura From ynakam at hitachisoft.jp Mon Oct 30 02:28:48 2006 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Mon, 30 Oct 2006 11:28:48 +0900 Subject: semodule -b does not work in FC5 In-Reply-To: <1161610135.3316.55.camel@moss-spartans.epoch.ncsc.mil> References: <1161610135.3316.55.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20061030112848.5ca8546b.ynakam@hitachisoft.jp> On Mon, 23 Oct 2006 09:28:55 -0400 Stephen Smalley wrote: > It shouldn't fail, but try updating to checkpolicy 1.32 and rebuilding > that policy (you have a newer libsepol with an older checkpolicy, which > should work, but seems to have run into a bug). By the way, you don't > have to edit the spec file - you can just --define "BUILD_STRICT 0" > --define "BUILD_MLS 0" on the rpmbuild command line. I tried yum update today, and found that checkpolicy is updated. semodule -b works now, thank you. Yuichi Nakamura From andrew.z.savva at jpmorgan.com Mon Oct 30 10:15:24 2006 From: andrew.z.savva at jpmorgan.com (andrew.z.savva at jpmorgan.com) Date: Mon, 30 Oct 2006 10:15:24 +0000 Subject: Problem with Selinux when upgrading from FC3 to FC6 Message-ID: Hi, I recently upgraded a fedora core 3 machine to FC6 and have a serious problem getting it to function correctly. On boot up many of the services complain about missing shared libraries, e.g. libssl, libdl.so, etc. However, the system continues on and gets to a (text based) login prompt. I log in on the console and none of the commands work. I try simple commands like "ls", "w", "ifconfig", "init" and it complains about missing libc.so and other really fundamental system libraries. However what is really strange is that I rebooted into single user mode (i.e. run level 1) and I can log in okay and I can run the above commands as normal! I checked to see if the libraries exist on the disk and everything is perfectly fine. In fact I managed to get a crippled system running from run level 1 and successfully got a network running and started services like postfix, asterisk and httpd without any problems. If I enter run level 3 or 5 then nothing is accessible from root or through an ordinary user account. I tried various methods of login in including ssh, sftp, etc and each time I am told that the shared library doesn't exist. I did a bit of poking around in run level 3 and although I cannot "ls" the shared library files (because "ls" doesn't work) I can still cd /lib and I can use filename completion to show the files. Then I decided to try run on and I found that running a shared library presents you with information about the lib, e.g. version, GNU licence, etc (that's the first time I knew you could do that so that was something I learnt). This proves that the libraries do exist and they are accessible from run level 1. I tried both a Selinux kernel (the one from FC6) and my original 2.6.18.1 kernel (without selinux) and both exhibit the same behaviour. When I booted into the selinux kernel the filesystem was relabelled by selinux as expected. What I don't understand is that selinux is turned off in /etc/sysconfig/selinux and I've never enabled it on my FC3 machine so I don't know why it is broken. I checked through the log files and I don't see any mention of any selinux problems or any reports from selinux but I still thought it might be a selinux related issue. It's certainly the strangest problem I've ever encountered on Linux. It seems to me like the system is denying access to files and that's what led me to believe it might be a selinux related issue and as I've never used it before I thought it was a likely candidate. Also I upgraded three other machines (admittedly running different flavours of FC) and ran into no problems in the upgrade. One significant difference between them was that the FC3 machine had selinux installed (but disabled) on it. I would really appreciate some help because I'm usually able to fix any Linux issue and this one has got me stumped. I have completely lost access to my machine and to make matters worse it is a remote machine and I only get access to it at the weekends! Thanks in advance, Andrew. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From stuart at secpay.com Mon Oct 30 15:50:16 2006 From: stuart at secpay.com (Stuart James) Date: Mon, 30 Oct 2006 15:50:16 +0000 Subject: semodule Message-ID: <20061030155016.696d7bff@localhost.localdomain> Hi, Just a quick question really as i can not find this in the documentation. When you load the module up after creating it, on a reboot does it load automatically? Thanks in advance -- Stuart James From kmacmill at redhat.com Mon Oct 30 16:59:26 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 30 Oct 2006 11:59:26 -0500 Subject: semodule In-Reply-To: <20061030155016.696d7bff@localhost.localdomain> References: <20061030155016.696d7bff@localhost.localdomain> Message-ID: <1162227566.29732.17.camel@localhost.localdomain> On Mon, 2006-10-30 at 15:50 +0000, Stuart James wrote: > Hi, > > Just a quick question really as i can not find this in the > documentation. When you load the module up after creating it, on a > reboot does it load automatically? > Yes - the module will be active until it is removed with semodule -r. Karl From dwalsh at redhat.com Mon Oct 30 17:25:50 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 30 Oct 2006 12:25:50 -0500 Subject: Problem with Selinux when upgrading from FC3 to FC6 In-Reply-To: References: Message-ID: <4546359E.2000608@redhat.com> andrew.z.savva at jpmorgan.com wrote: > > Hi, > > I recently upgraded a fedora core 3 machine to FC6 and have a serious > problem getting it to function correctly. > > On boot up many of the services complain about missing shared > libraries, e.g. libssl, libdl.so, etc. However, the system continues > on and gets to a (text based) login prompt. I log in on the console > and none of the commands work. I try simple commands like "ls", "w", > "ifconfig", "init" and it complains about missing libc.so and other > really fundamental system libraries. > > However what is really strange is that I rebooted into single user > mode (i.e. run level 1) and I can log in okay and I can run the above > commands as normal! I checked to see if the libraries exist on the > disk and everything is perfectly fine. In fact I managed to get a > crippled system running from run level 1 and successfully got a > network running and started services like postfix, asterisk and httpd > without any problems. > > If I enter run level 3 or 5 then nothing is accessible from root or > through an ordinary user account. I tried various methods of login in > including ssh, sftp, etc and each time I am told that the shared > library doesn't exist. I did a bit of poking around in run level 3 and > although I cannot "ls" the shared library files (because "ls" doesn't > work) I can still cd /lib and I can use filename completion to show > the files. Then I decided to try run on and I found that running a > shared library presents you with information about the lib, e.g. > version, GNU licence, etc (that's the first time I knew you could do > that so that was something I learnt). This proves that the libraries > do exist and they are accessible from run level 1. > > I tried both a Selinux kernel (the one from FC6) and my original > 2.6.18.1 kernel (without selinux) and both exhibit the same behaviour. > When I booted into the selinux kernel the filesystem was relabelled by > selinux as expected. > > What I don't understand is that selinux is turned off in > /etc/sysconfig/selinux and I've never enabled it on my FC3 machine so > I don't know why it is broken. I checked through the log files and I > don't see any mention of any selinux problems or any reports from > selinux but I still thought it might be a selinux related issue. > > It's certainly the strangest problem I've ever encountered on Linux. > It seems to me like the system is denying access to files and that's > what led me to believe it might be a selinux related issue and as I've > never used it before I thought it was a likely candidate. > > Also I upgraded three other machines (admittedly running different > flavours of FC) and ran into no problems in the upgrade. One > significant difference between them was that the FC3 machine had > selinux installed (but disabled) on it. > > I would really appreciate some help because I'm usually able to fix > any Linux issue and this one has got me stumped. I have completely > lost access to my machine and to make matters worse it is a remote > machine and I only get access to it at the weekends! > > Thanks in advance, > Andrew. > > > This communication is for informational purposes only. It is not > intended as an offer or solicitation for the purchase or sale of any > financial instrument or as an official confirmation of any > transaction. All market prices, data and other information are not > warranted as to completeness or accuracy and are subject to change > without notice. Any comments or statements made herein do not > necessarily reflect those of JPMorgan Chase & Co., its subsidiaries > and affiliates. > > This transmission may contain information that is privileged, > confidential, legally privileged, and/or exempt from disclosure under > applicable law. If you are not the intended recipient, you are hereby > notified that any disclosure, copying, distribution, or use of the > information contained herein (including any reliance thereon) is > STRICTLY PROHIBITED. Although this transmission and any attachments > are believed to be free of any virus or other defect that might affect > any computer system into which it is received and opened, it is the > responsibility of the recipient to ensure that it is virus free and no > responsibility is accepted by JPMorgan Chase & Co., its subsidiaries > and affiliates, as applicable, for any loss or damage arising in any > way from its use. If you received this transmission in error, please > immediately contact the sender and destroy the material in its > entirety, whether in electronic or hard copy format. Thank you. > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Boot single user mode touch /.autorelabel reboot Which should fix the labeleing on the system so you can run with SELInux on. From dwalsh at redhat.com Mon Oct 30 17:26:26 2006 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 30 Oct 2006 12:26:26 -0500 Subject: Today's update: install errors In-Reply-To: <4c4ba1530610281035o337d67a9r63d8d324dacfba85@mail.gmail.com> References: <4c4ba1530610281035o337d67a9r63d8d324dacfba85@mail.gmail.com> Message-ID: <454635C2.50200@redhat.com> Tom London wrote: > Running latest rawhide, targeted/enforcing. > > Got this with today's updates: > > Updating : selinux-policy-targeted ####################### [ 6/12] > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > did not exit cleanly. > libsemanage.semanage_reload_policy: load_policy returned error code -1. > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > did not exit cleanly. > libsemanage.semanage_reload_policy: load_policy returned error code -1. > semodule: Failed! > Cleanup : selinux-policy ####################### [ 7/12] > > tom Any avc messages? From selinux at gmail.com Mon Oct 30 17:45:17 2006 From: selinux at gmail.com (Tom London) Date: Mon, 30 Oct 2006 09:45:17 -0800 Subject: Today's update: install errors In-Reply-To: <454635C2.50200@redhat.com> References: <4c4ba1530610281035o337d67a9r63d8d324dacfba85@mail.gmail.com> <454635C2.50200@redhat.com> Message-ID: <4c4ba1530610300945p15c2a6aie3f996b0336c6ea5@mail.gmail.com> On 10/30/06, Daniel J Walsh wrote: > Tom London wrote: > > Running latest rawhide, targeted/enforcing. > > > > Got this with today's updates: > > > > Updating : selinux-policy-targeted ####################### [ 6/12] > > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > > did not exit cleanly. > > libsemanage.semanage_reload_policy: load_policy returned error code -1. > > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > > did not exit cleanly. > > libsemanage.semanage_reload_policy: load_policy returned error code -1. > > semodule: Failed! > > Cleanup : selinux-policy ####################### [ 7/12] > > > > tom > Any avc messages? > None that I can see. -- Tom London From selinux at gmail.com Mon Oct 30 17:46:13 2006 From: selinux at gmail.com (Tom London) Date: Mon, 30 Oct 2006 09:46:13 -0800 Subject: Today's update: install errors In-Reply-To: <454635C2.50200@redhat.com> References: <4c4ba1530610281035o337d67a9r63d8d324dacfba85@mail.gmail.com> <454635C2.50200@redhat.com> Message-ID: <4c4ba1530610300946r1be9ad13oe10f03c12f27f411@mail.gmail.com> On 10/30/06, Daniel J Walsh wrote: > Tom London wrote: > > Running latest rawhide, targeted/enforcing. > > > > Got this with today's updates: > > > > Updating : selinux-policy-targeted ####################### [ 6/12] > > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > > did not exit cleanly. > > libsemanage.semanage_reload_policy: load_policy returned error code -1. > > libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy > > did not exit cleanly. > > libsemanage.semanage_reload_policy: load_policy returned error code -1. > > semodule: Failed! > > Cleanup : selinux-policy ####################### [ 7/12] > > > > tom > Any avc messages? > I'm thinking maybe this is related to the glibc breaking setuid programs. That possible? tom -- Tom London From sds at tycho.nsa.gov Tue Oct 31 17:49:35 2006 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 31 Oct 2006 12:49:35 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <454509C2.7080008@gmail.com> References: <6FE441CD9F0C0C479F2D88F959B015885146CC@exchange.columbia.tresys.com> <454509C2.7080008@gmail.com> Message-ID: <1162316975.32614.146.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote: > Dnia 10/29/2006 06:33 PM, U?ytkownik Joshua Brindle napisa?: > > Right, that's a hard fix I think, dashes aren't allowed in > > identifiers and they are treated specially for use in MLS ranges.. > > Oh, that's really bad :( Without that line files on ntfs-3g filesystem > have unlabeled_t type and I would need to give to many privileges to > mount_t domain. > > So there is no hope to fix it in the clean way? File it as a bug against checkpolicy. > > Why are they putting a dash in a filesystem name anyway? > > I don't know -- I'm not the creator of ntfs-3g ;-) > -- Stephen Smalley National Security Agency From kmacmill at redhat.com Tue Oct 31 21:48:54 2006 From: kmacmill at redhat.com (Karl MacMillan) Date: Tue, 31 Oct 2006 16:48:54 -0500 Subject: How should I run genfscon in my module? In-Reply-To: <1162316975.32614.146.camel@moss-spartans.epoch.ncsc.mil> References: <6FE441CD9F0C0C479F2D88F959B015885146CC@exchange.columbia.tresys.com> <454509C2.7080008@gmail.com> <1162316975.32614.146.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1162331334.4147.6.camel@localhost.localdomain> On Tue, 2006-10-31 at 12:49 -0500, Stephen Smalley wrote: > On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote: > > Dnia 10/29/2006 06:33 PM, U?ytkownik Joshua Brindle napisa?: > > > Right, that's a hard fix I think, dashes aren't allowed in > > > identifiers and they are treated specially for use in MLS ranges.. > > > > Oh, that's really bad :( Without that line files on ntfs-3g filesystem > > have unlabeled_t type and I would need to give to many privileges to > > mount_t domain. > > > > So there is no hope to fix it in the clean way? > > File it as a bug against checkpolicy. I looked at fixing this by changing genfscon to use user_identifier instead of identifier (they are the same except user_identifier includes "-"). This made checkpolicy generate a syntax error for all genfscon statements - haven't tracked down what the problem is. The grammer still seems to be unambiguous. I'll try to get back to it soon, but thought I would post this in case someone knows what the issue is off the top of their head. Karl From gajownik at gmail.com Tue Oct 31 22:09:22 2006 From: gajownik at gmail.com (Dawid Gajownik) Date: Tue, 31 Oct 2006 23:09:22 +0100 Subject: How should I run genfscon in my module? In-Reply-To: <1162316975.32614.146.camel@moss-spartans.epoch.ncsc.mil> References: <6FE441CD9F0C0C479F2D88F959B015885146CC@exchange.columbia.tresys.com> <454509C2.7080008@gmail.com> <1162316975.32614.146.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4547C992.3090907@gmail.com> Dnia 10/31/2006 06:49 PM, U?ytkownik Stephen Smalley napisa?: >> So there is no hope to fix it in the clean way? > > File it as a bug against checkpolicy. d1 :-) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213339 -- ^_*