From dwalsh at redhat.com Wed Aug 1 18:20:38 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 01 Aug 2007 14:20:38 -0400 Subject: [RFC] policy about nas sound server In-Reply-To: <46AAFF45.1090909@gmail.com> References: <46AAFF45.1090909@gmail.com> Message-ID: <46B0CEF6.80008@redhat.com> Ken YANG wrote: > hi all, > > i write module for Network Audio System (NAS) in fedora > rawhide. > > firstly, i think there is not policy for nas, so i write > from scratch, but after finishing, i found there is a > soundserver module in policy, so i ported my nas policy > into this module. > > i am not familiar with nas, so i just make some tests for > new soundserver policy, especially some tools in nas package, > including: > > audemo, audial, auinfo, aupanel, auplay...... > > IMHO, it seems to work well, and there was not any errors > about nas in audit messages. > > > First I removed soundd_etc_t and replaced it with etc_t. No reason to create a type for config files, unless you are writing to them, or they have data, that you are trying to prevent other confined domains from reading. Existing soundd policy has this so I am typealiasing in Rawhide. nasd is creating sockets in /tmp. This is a bad idea. It should be moved to /var/run. This will not work with a polyinstatiated /tmp https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453 domain_type(soundd_t) domain_entry_file(soundd_t,soundd_exec_t) Are provided already by init_daemon_domain(soundd_t,soundd_exec_t) +manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) Includes +delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) You did not give the application the ability to create sound_tmp_t files, so this is not necessary. +delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) I think you need manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) Because the /tmp/.socket does not exist before hand And the only thing you are crearing is a dir so your file trans should look like the following. +files_tmp_filetrans(soundd_t, soundd_tmp_t, dir) All these rules should change to var_run_t when nasd is fixed to use it. From orion at cora.nwra.com Wed Aug 1 20:55:58 2007 From: orion at cora.nwra.com (Orion Poplawski) Date: Wed, 01 Aug 2007 14:55:58 -0600 Subject: Need help with SELinux and SGE/ssh Message-ID: I'm running Sun Grid Engine on a CentOS 5 cluster and am having trouble with SELinux preventing the proper setup of parallel environments. Turning SELinux off allows everything to work properly. The problem seems to be when SGE tries to use ssh to login to a remote machine. As part of this process, it starts up a private sshd daemon to handle the connection. The relevant error appears to be: type=USER_LOGIN msg=audit(1186001097.981:19489): user pid=12066 uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct=steph: exe="/usr/sbin/sshd" (hostname=?, addr=192.168.0.120, terminal=sshd res=failed)' type=USER_ROLE_CHANGE msg=audit(1186001098.201:19491): user pid=12066 uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='sshd: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0-s0:c0.c1023: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=failed)' sshd reports: Aug 1 14:44:58 coop00 sshd[12066]: error: deny MLS level SystemLow-SystemHigh (user range s0). Continuing in permissive mode I'm at a loss here. Can anyone explain what is going on and what is failing? How can I make it work without running in permissive mode? Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From lshoujun at yahoo.com Thu Aug 2 07:01:53 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Thu, 2 Aug 2007 00:01:53 -0700 (PDT) Subject: Containing vmware player 2.0.0 with SELINUX Message-ID: <47609.47348.qm@web34809.mail.mud.yahoo.com> Hi all, Today i managed to make the vmplayer run in its own domain. What I did was added the statement to my vmware.te. Thanks to Ken and his suggestion (and all of the help so far), i've got the "Selinux by example" book that i've been reading as a reference. domain_auto_trans(unconfined_t, vmware_exec_t, vmware_t) Evident from the large amount of avc denials in setroubleshoot when i launch vmplayer, i was able to see that vmplayer was running in the context of : root:system_r:vmware_t Two questions from security angle on this approach though: 1. If i allow transition from unconfined_t to vmware_t, it means that any unconfined process can transit to vmware_t and be able to access the vmware files. This is probably not what i'd desire. What would be a good recommendation for this? Any best practices? 2. I still want to start vmware as a user program, probably not as a service. In that case, would I still need to do something in the vmware.if so that the domain auto trans can take on a role ? Now that i'm able to run it under vmware_t domain, and see a lot of avcs, i intend to make vmware run properly again. I'd go with allowing whatever vmware wants to do, then tightening the security. There are a few approaches i can use, and i'd like to seek your opinions on how to go about doing it: 1. audit2allow: This will list all of the avcs and turn them into allow statements. By adding these statements to my vmware.te, this would enable vmware to function again. Problem is that i may end up with too many statements. There would probably be macros to cover these. 2. macros: This is somethings i'm not familiar with. Are there any documentation that describe some of the more commonly used macros? Or it is better just to see the source? 3. policygentool: From what i understand, this is a script that would generate a module for you. the question is how do i combine it with the vmware source code that I've taken from the reference policy? (that i'm using now)? I forsee a lot of conflicts to be resolved. and may actually not be so clean. Whats your take on these approach? Are there others that I've missed out? Thanks in advance, Louis ----- Original Message ---- From: Ken YANG To: Louis Lam Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com Sent: Tuesday, July 31, 2007 6:00:20 AM Subject: Re: Containing vmware player 2.0.0 with SELINUX Louis Lam wrote: > Hi, > > Thanks for the reply. > > My conclusion is that not I'm not sure where to place the domain_auto_trans() statement. If I can't place it in the vmware.if file(since it will not be read during module compilation ) where can I put this statement? All i need to do now is to make the vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I thought. if you want vmware program run in own domain, all necessary rules should be in te file, e.g. domain_auto_trans(vmware_t, vmware_host_exec_t, vmware_host_t) (just a example) similarly, domain_auto_trans can also used in if file, especially used in per_role_template. All these are depend on your purpose. to make vmware run in selinux-policy>3.0, the easiest way is to follow what tom guid, i.e. modify the net-service.sh to restorce label after creating device node. but if you want to make policy contain vmware, you must resolve the "device node label" problem, IMHO, you should use fs_use_trans to make label automatically: http://marc.info/?l=selinux&m=118481693028190&w=2 now, i have not time to do this, so i have not solved the problems i encountered. > > Can you point me to resources to how to develop modules? Can someone help me with this problem? "Beginning is the most difficult one, but A Good Beginning is half the battle" :-) after you finish the beginning, you will find it's not difficult. The book <> is a good guide for developing modules, but i think the best guide to develop policy is the policy source. > > Thanks & Regards, > Louis > > ----- Original Message ---- > From: Ken YANG > To: Louis Lam > Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com > Sent: Monday, July 30, 2007 6:53:17 AM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: >> Hi, >> >> I think i'm having a policy compilation problem here >> >> I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away. >> >> But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state. >> >> I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective: >> >> e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t) >> >> But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences. >> >> Does it mean if the vmware.if file is modified it will not affect the make? > > as i infer (i'm not sure): > > the interface will not be checked, unless someone invoke it, because if > there are not invokes, the parameter can not be determined. > > when you build vmware module, you will not use your own interface in > own module, so build process will not detect error. > > > >> How do you ensure that the changes at vmware.if effective? (well at least cause some compilation errors?) >> >> >> >> Thanks, >> Louis >> >> >> >> >> >> ----- Original Message ---- >> From: Ken YANG >> To: Louis Lam >> Cc: Daniel J Walsh ; fedora-selinux-list at redhat.com >> Sent: Saturday, July 28, 2007 5:28:25 PM >> Subject: Re: Containing vmware player 2.0.0 with SELINUX >> >> >> Louis Lam wrote: >>> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... >>> >>> 2. Created a domain transition so that the vmware user programs e.g. >>> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are >>> labelleled system_u:object_r:vmware_exec_t will transit to >>> system_u:object_r:vmware_t when executed. I put it also in vmware.te: >>> >>> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) >>> >>> but >>> on making the vmware.pp module I get this warning and error: >>> >>> 'syntax error' at token '1' on line 81143: >>> #line 13 >>> allow $1_t vmware_exec_t: file {getattr read execute}; >> this rule is generated by domain_auto_trans, so i think the >> syntax error should be caused by other rules. >> >> you may check other rules in your policy. >> >>> Thanks in advance, >>> Louis >>> >>> >>> ----- Original Message ---- >>> From: Louis Lam >>> To: Daniel J Walsh >>> Cc: fedora-selinux-list at redhat.com >>> Sent: Friday, July 27, 2007 5:05:05 AM >>> Subject: Re: Containing vmware player 2.0.0 with SELINUX >>> >>> Thanks Daniel for the information, hi everyone >>> >>> I've tried to make the following changes: >>> >>> 1. Defined the vmware_t type in vmware.te: >>> type vmware_t; >>> >>> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? >> type definition should be in vmware.te >> >> Send instant messages to your online friends http://uk.messenger.yahoo.com > > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From spng.yang at gmail.com Thu Aug 2 07:58:08 2007 From: spng.yang at gmail.com (Ken YANG) Date: Thu, 02 Aug 2007 15:58:08 +0800 Subject: [RFC] policy about nas sound server In-Reply-To: <46B0CEF6.80008@redhat.com> References: <46AAFF45.1090909@gmail.com> <46B0CEF6.80008@redhat.com> Message-ID: <46B18E90.90104@gmail.com> Daniel J Walsh wrote: > Ken YANG wrote: >> hi all, >> >> i write module for Network Audio System (NAS) in fedora >> rawhide. >> >> firstly, i think there is not policy for nas, so i write >> from scratch, but after finishing, i found there is a >> soundserver module in policy, so i ported my nas policy >> into this module. >> >> i am not familiar with nas, so i just make some tests for >> new soundserver policy, especially some tools in nas package, >> including: >> >> audemo, audial, auinfo, aupanel, auplay...... >> >> IMHO, it seems to work well, and there was not any errors >> about nas in audit messages. >> >> >> > First I removed soundd_etc_t and replaced it with etc_t. No reason to > create a type for config files, unless > you are writing to them, or they have data, that you are trying to > prevent other confined domains from > reading. Existing soundd policy has this so I am typealiasing in Rawhide. I had changed policy based on your advice, but i can not find typealiase about etc_t in policy 3.0.4-5, maybe is still in your workbench, hadn't export. > > nasd is creating sockets in /tmp. This is a bad idea. It should be > moved to /var/run. This will not work with a polyinstatiated /tmp > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453 i add myself to cc-list, so if there are some changes i will modify the policy. > > domain_type(soundd_t) > domain_entry_file(soundd_t,soundd_exec_t) > > Are provided already by > > init_daemon_domain(soundd_t,soundd_exec_t) > > > +manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) > Includes > > +delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) sorry for my ignorance. > > You did not give the application the ability to create sound_tmp_t > files, so this is not necessary. > +delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) > > I think you need manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) > > Because the /tmp/.socket does not exist before hand > And the only thing you are crearing is a dir so your file trans should > look like the following. > +files_tmp_filetrans(soundd_t, soundd_tmp_t, dir) > > All these rules should change to var_run_t when nasd is fixed to use it. the attach file is the newest patch based on selinux-policy-3.0.4-5, please review it. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: soundserver-3.0.4-5.patch Type: text/x-patch Size: 4255 bytes Desc: not available URL: From cpebenito at tresys.com Thu Aug 2 16:47:38 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 02 Aug 2007 16:47:38 +0000 Subject: Containing vmware player 2.0.0 with SELINUX In-Reply-To: <47609.47348.qm@web34809.mail.mud.yahoo.com> References: <47609.47348.qm@web34809.mail.mud.yahoo.com> Message-ID: <1186073258.4015.84.camel@gorn.columbia.tresys.com> On Thu, 2007-08-02 at 00:01 -0700, Louis Lam wrote: > Today i managed to make the vmplayer run in its own domain. What I did > was added the statement to my vmware.te. Thanks to Ken and his > suggestion (and all of the help so far), i've got the "Selinux by > example" book that i've been reading as a reference. > > domain_auto_trans(unconfined_t, vmware_exec_t, vmware_t) > > Evident from the large amount of avc denials in setroubleshoot when i > launch vmplayer, i was able to see that vmplayer was running in the > context of : > > root:system_r:vmware_t > > Two questions from security angle on this approach though: > > 1. If i allow transition from unconfined_t to vmware_t, it means that > any unconfined process can transit to vmware_t and be able to access > the vmware files. This is probably not what i'd desire. What would be > a good recommendation for this? Any best practices? It doesn't matter, unconfined_t is unconfined; therefore, it already has access to vmware files. > 2. I still want to start vmware as a user program, probably not as a > service. In that case, would I still need to do something in the > vmware.if so that the domain auto trans can take on a role ? I don't understand this question. Vmware has daemon parts for the vmnets, and the user application is the player itself. > Now that i'm able to run it under vmware_t domain, and see a lot of > avcs, i intend to make vmware run properly again. I'd go with allowing > whatever vmware wants to do, then tightening the security. There are a > few approaches i can use, and i'd like to seek your opinions on how to > go about doing it: > > 1. audit2allow: This will list all of the avcs and turn them into > allow statements. By adding these statements to my vmware.te, this > would enable vmware to function again. Problem is that i may end up > with too many statements. Correct. > There would probably be macros to cover these. There should already be sufficient existing interfaces, since there is policy, though I tested it with vmware workstation, not the player (I don't imagine they are very different access-wise). > 2. macros: This is somethings i'm not familiar with. Are there any > documentation that describe some of the more commonly used macros? Or > it is better just to see the source? By looking a few of the source files, you can see the commonly used interfaces. You can also look at the interface documentation, but it has all the macros, not just the common ones: http://oss.tresys.com/docs/refpolicy/api > 3. policygentool: From what i understand, this is a script that would > generate a module for you. the question is how do i combine it with > the vmware source code that I've taken from the reference policy? > (that i'm using now)? I forsee a lot of conflicts to be resolved. and > may actually not be so clean. I believe this tool is designed to be run on a service that doesn't already have a policy. It just gets you a starting point, creating some types, some interfaces, and a handful of common rules (leveraging refpolicy interfaces). -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From kaigai at kaigai.gr.jp Thu Aug 2 17:51:02 2007 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Fri, 03 Aug 2007 02:51:02 +0900 Subject: SE-PostgreSQL for Fedora (Re: Guideline for RPM packages) In-Reply-To: <46B207B3.6040703@manicmethod.com> References: <46681714.3030009@kaigai.gr.jp> <1181227502.11979.24.camel@moss-spartans.epoch.ncsc.mil> <46681ED6.1010408@kaigai.gr.jp> <46A861F6.10709@ak.jp.nec.com> <46A8CAE0.7030809@kaigai.gr.jp> <46B207B3.6040703@manicmethod.com> Message-ID: <46B21986.5040806@kaigai.gr.jp> Joshua Brindle wrote: > KaiGai Kohei wrote: >> By the way, I'm seeking sponsors who can review SE-PostgreSQL package. >> >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522 >> >> If you can volunteer the reviewing process, please contact me. >> > > So, I tried grabbing the sepostgres srpm and building it (you didn't > provide an x86_64 rpm) and I get these compilation errors: > > gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall > -Wmissing-prototypes -Wpointer-arith -Winline > -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -g -D > SECCLASS_DATABASE= -I../../../src/include -D_GNU_SOURCE -c -o > sepgsqlCore.o sepgsqlCore.c > sepgsqlCore.c: In function 'sepgsqlGetDatabaseContext': > sepgsqlCore.c:792: error: expected expression before ')' token > sepgsqlCore.c: In function 'sepgsqlInitialize': > sepgsqlCore.c:836: error: expected expression before ',' token > sepgsqlCore.c:854: error: expected expression before ',' token > make[3]: *** [sepgsqlCore.o] Error 1 > make[3]: Leaving directory > `/usr/src/redhat/BUILD/postgresql-8.2.4/src/backend/security' > make[2]: *** [security-recursive] Error 2 Joshua, It seems to me that SECCLASS_DATABASE is defined as empty. It is normally computed at %build section of the specfile as follows: SECCLASS_DATABASE=`grep ^define %{_datadir}/selinux/devel/include/support/all_perms.spt \ | cat -n | grep all_database_perms | awk '{print $1}'` make CUSTOM_COPT=" -D SECCLASS_DATABASE=${SECCLASS_DATABASE}" %{?_smp_mflags} Thus, selinux-policy-devel-xxx-sepgsql have to be installed to build. If SECCLASS_DATABASE is not defined, it's defined as 61 being next to SECCLASS_DCCP_SOCKET. It is correct, if Fedora 6. But incorrect on the latest Fedora 7 and Rawhide. As you mentioned, I also think this trick is not a good idea. However, the number of object classes is not constant between policy versions, so I had to handle the difference and to follow the version up. I modified it by hand at first, but conditional definition for SECCLASS_DATABASE got necessary, because the number of object classes got differ between Fedora core 6 and Fedora 7. I think integration of these definitions into the base policy is the best way to avoid such a ugly implementation. :) Thanks, > As an aside to this, I notice that you tried to integrate policy > management into the RPM, and I had to modify my spec file to not do this > because I have my own custom policies on the system. I don't think this > is the best way, long term, to handle policy integration, though, > unfortunately, I don't have any better suggestions. This is something I > intend to look into soon though so I'll provide some feedback on the > previous thread when I have something useful to say :) -- KaiGai Kohei From mcneal at umich.edu Thu Aug 2 18:36:54 2007 From: mcneal at umich.edu (Patrick McNeal) Date: Thu, 2 Aug 2007 14:36:54 -0400 Subject: Enabling the strict policy on Fedora 7 Message-ID: I'm new to SELinux, and have been banging my head against the wall on how to change from the targeted to the strict policy on my Fedora 7 box. I just figured out how to do it, and thought that it would be a good thing to have in the archive so others might more easily find a solution. 1 - Install the strict policy using the package manager. I used selinux-policy-strict-2.6.4-29.fc.noarch. 2 - Using the SELinux Administration tool, set the "system default policy type" to "strict". 3 - Set the "system default enforcing mode" to "permissive". 4 - Check "Relabel on next reboot". 3 - Reboot If you leave enforcing mode set to the default of "enforcing" you'll get this error on reboot: /sbin/init: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Permission denied Kernel panic - not syncing: Attempted to kill init! Note, you can also make these changes via the command line by editing /etc/selinux/config, setup a relabel by touching /.autorelabel and rebooting. Hope that helps someone. --Patrick From jeff.holt at hotsos.com Thu Aug 2 21:04:54 2007 From: jeff.holt at hotsos.com (Jeff Holt) Date: Thu, 2 Aug 2007 16:04:54 -0500 Subject: FC 6 - selinux issue with adding a new custom module Message-ID: I just copied mod_slam.so to /etc/httpd/modules, executed chcon -r mod_alias.so mod_slam.so, and edited /etc/httpd/httpd.conf to load the new module. As a result, I get the following avc error in my /var/log/messages. Aug 2 13:28:00 build02 kernel: audit(1186079280.127:7): avc: denied { execmod } for pid=18939 comm="httpd" name="mod_slam.so" dev=dm-0 ino=8847362 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file When I pass this text to audit2allow I get very little help. $ tail -1 /var/log/messages | audit2allow #============= httpd_t ============== allow httpd_t httpd_modules_t:file execmod; # When I pass it to audit2why I get no more help still. Aug 2 14:17:07 build02 kernel: audit(1186082227.562:10): avc: denied { execmod } for pid=19707 comm="httpd" name="mod_slam.so" dev=dm-0 ino=8847362 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. What I find frustrating is that loading the installed modules (i.e., installed with the httpd package) do not cause avc errors. In fact, if I rename, say, mod_alias.so to something else it still loads after I temporarily edit httpd.conf. And so, I find it hard to believe that the security policy knows about specific file names. When I copy mod_alias.so to something else (i.e., to give it a new inode) it still loads and so I think that proves the security policy also knows nothing about inodes. These two tests of renaming/copying mod_alias.so demonstrate to me that rebooting the server or some other "configuration" action is not necessary. My actual first question, since I know so little about selinux, is this: if my module has the same security context as other modules, then why does an attempt to load it cause that avc error? Can anyone render assistance? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ukhanlists at hotmail.com Thu Aug 2 21:05:15 2007 From: ukhanlists at hotmail.com (Ubaidul Khan) Date: Thu, 02 Aug 2007 17:05:15 -0400 Subject: apache2 failing to start Message-ID: Hello, We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I could link php with Oracle Instant Client Libraries(oci). OCI is installed under /opt with the following contexts: # ls -lZ drwxr-xr-x root root system_u:object_r:usr_t oracle [root at saleen_webvm1 instant-client-10.1]# pwd /opt/oracle/app/instant-client-10.1 [root at saleen_webvm1 instant-client-10.1]# ls -alZ drwxr-xr-x root root system_u:object_r:usr_t . drwxr-xr-x root root system_u:object_r:usr_t .. -rw-r--r-- root root system_u:object_r:usr_t classes12.jar drwxr-xr-x root root system_u:object_r:usr_t docs -rw-r--r-- root root system_u:object_r:usr_t glogin.sql lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so -rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1 -rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so lrwxrwxrwx root root system_u:object_r:usr_t libocci.so -rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1 -rwxr-xr-x root root system_u:object_r:usr_t libociei.so -rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so -rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so -rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar -rw-r--r-- root root system_u:object_r:usr_t README_IC.htm drwxr-xr-x root root system_u:object_r:usr_t sdk -rwxr-xr-x root root system_u:object_r:usr_t sqlplus -rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora When try to start apache, I get some errors in audit.log and apache fails to start. type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=process type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10 success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0 ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC_PATH msg=audit(1186088202.755:61): path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1" audit2allow is telling me to add the following rules: # audit2allow < audit.log allow httpd_t self:process execstack; allow httpd_t usr_t:file execute; My question/concerns are the following: 1. What risks do I incur by making the process stack executable? 2. If I am reading the second rule correctly, its asking to allow httpd_t to execute user_t files? Thanks for your help _________________________________________________________________ Now you can see trouble?before he arrives http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507 From kaigai at kaigai.gr.jp Thu Aug 2 22:01:51 2007 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Fri, 03 Aug 2007 07:01:51 +0900 Subject: SE-PostgreSQL for Fedora (Re: Guideline for RPM packages) In-Reply-To: <46B21C29.906@manicmethod.com> References: <46681714.3030009@kaigai.gr.jp> <1181227502.11979.24.camel@moss-spartans.epoch.ncsc.mil> <46681ED6.1010408@kaigai.gr.jp> <46A861F6.10709@ak.jp.nec.com> <46A8CAE0.7030809@kaigai.gr.jp> <46B207B3.6040703@manicmethod.com> <46B21986.5040806@kaigai.gr.jp> <46B21C29.906@manicmethod.com> Message-ID: <46B2544F.4090700@kaigai.gr.jp> > Err, I think you should be using the new userland discovery interface > for this, hardcoding at compile time is a very bad idea (it makes the > compiled binaries completely non-portable). > > look at libselinux/checkAccess.c in the trunk version to see how it is > used, essentially something like: > > dbase_class = string_to_security_class("database"); > if (dbase_class == 0) > return 0; > > That lets you discover the class offset at runtime. There are also > facilities for doing the same with permissions. SE-PostgreSQL can already use the userland discovert interdace, if the kernel provides it. But it is available at the only latest kernel, now. We have to be also able to apply hardcoded object class number for a while, to work on the current kernel (2.6.22 or older). Otherwise, we have to replace or modify the base policy to add definitions of new object classes and access vectors related to database, so we want these definitions are integrated into the base policy. Thanks, >> As you mentioned, I also think this trick is not a good idea. >> However, the number of object classes is not constant between policy versions, >> so I had to handle the difference and to follow the version up. >> I modified it by hand at first, but conditional definition for SECCLASS_DATABASE >> got necessary, because the number of object classes got differ between Fedora core 6 >> and Fedora 7. >> >> I think integration of these definitions into the base policy is the best way >> to avoid such a ugly implementation. :) >> >> Thanks, >> >> >>> As an aside to this, I notice that you tried to integrate policy >>> management into the RPM, and I had to modify my spec file to not do this >>> because I have my own custom policies on the system. I don't think this >>> is the best way, long term, to handle policy integration, though, >>> unfortunately, I don't have any better suggestions. This is something I >>> intend to look into soon though so I'll provide some feedback on the >>> previous thread when I have something useful to say :) >>> >> -- >> KaiGai Kohei -- KaiGai Kohei From wilmer at fedoraproject.org Fri Aug 3 02:18:13 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Thu, 2 Aug 2007 22:18:13 -0400 Subject: New resource for add in selinux.sf.net - Spanish Documentation Message-ID: <2b26c4260708021918s1a2894a3r6d00558a2524c6dd@mail.gmail.com> We believe really important to begin only will writing selinux for spanish speakers, http://wiki.fedora-ve.org/SELinux/ should to be the link for to begin and http://wiki.fedora-ve.org/SELinux/Tips just have more complete information. The wiki not apply any restriction if you want to join, to participate in the SELinux Spanish Documentation. Thanks for the attention. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From spng.yang at gmail.com Fri Aug 3 03:12:23 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 03 Aug 2007 11:12:23 +0800 Subject: FC 6 - selinux issue with adding a new custom module In-Reply-To: References: Message-ID: <46B29D17.2070509@gmail.com> Jeff Holt wrote: > I just copied mod_slam.so to /etc/httpd/modules, executed chcon -r > mod_alias.so mod_slam.so, and edited /etc/httpd/httpd.conf to load the > new module. As a result, I get the following avc error in my > /var/log/messages. > > > > Aug 2 13:28:00 build02 kernel: audit(1186079280.127:7): avc: denied { > execmod } for pid=18939 comm="httpd" name="mod_slam.so" dev=dm-0 > ino=8847362 scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file execmod error means that your DSO is not built correctly, which need text relocation. you can test it by: readelf -d PROGRAMS | fgrep TEXTREL if yes, you can label the DSO with: chcon -t textrel_shlib_t mod_slam.so or if your want to make it forever: semanage fcontext -a -t textrel_shlib_t mod_slam.so but i recommend that you should build the DSO from scratch in right way, i.e. compiled with -fpic/-fPIC > > > > When I pass this text to audit2allow I get very little help. > > > > $ tail -1 /var/log/messages | audit2allow > > > > > > #============= httpd_t ============== > > allow httpd_t httpd_modules_t:file execmod; > > # > > > > When I pass it to audit2why I get no more help still. > > > > Aug 2 14:17:07 build02 kernel: audit(1186082227.562:10): avc: denied > { execmod } for pid=19707 comm="httpd" name="mod_slam.so" dev=dm-0 > ino=8847362 scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file > > Was caused by: > > Missing or disabled TE allow rule. > > Allow rules may exist but be disabled by boolean > settings; check boolean settings. > > You can see the necessary allow rules by running > audit2allow with this audit message as input. > > > > > > What I find frustrating is that loading the installed modules (i.e., > installed with the httpd package) do not cause avc errors. In fact, if I > rename, say, mod_alias.so to something else it still loads after I > temporarily edit httpd.conf. And so, I find it hard to believe that the > security policy knows about specific file names. When I copy > mod_alias.so to something else (i.e., to give it a new inode) it still > loads and so I think that proves the security policy also knows nothing > about inodes. These two tests of renaming/copying mod_alias.so > demonstrate to me that rebooting the server or some other > "configuration" action is not necessary. i don't understand what you said completely, but as i know, if your file is in fs that support extended attribute, e.g. ext3, the security context is stored in inode with the extended attribute. and before you cp the file, if it had existed, cp will remain the context of previous file, but if the file did not exist, the context of the file will be labeled based on policy. of course, cp has the option to remain context. finally, mv will attempt to remain the context of the file. > > > > My actual first question, since I know so little about selinux, is this: > if my module has the same security context as other modules, then why > does an attempt to load it cause that avc error? > > > > Can anyone render assistance? > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From ryvore at gmail.com Fri Aug 3 03:14:22 2007 From: ryvore at gmail.com (David-Alexandre Davidson) Date: Thu, 02 Aug 2007 23:14:22 -0400 Subject: Problem with domain transition on a nfs_t mount Message-ID: <46B29D8E.6020800@gmail.com> On fedora 7, lastest selinux strict policy. I have written a selinux module which go through a domain transition when executing a file on a nfs mount (labeled nfs_t) However the transition never occurs. and I get a : denied execute_no_trans on nfs_t files . In order to find the source of the problem I have taken a file with the exact same context outside of the nfs mount and the transition work fine. Here is the related part of my module: domain_auto_trans(custom_trans_t,nfs_t,i_custom_t); allow custom_trans_t nfs_t:file rx_file_perms; allow custom_trans_t nfs_t:dir r_dir_perms; Here are the details on the nfs share: file executed: -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t /home/usera/var/bin/testphp.app result: type=AVC msg=audit(1186108700.494:230294): avc: denied { execute_no_trans } for pid=5969 comm="custom-app" name="testphp.app" dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file Running the same program and executing an identical file outside the nfs share: (I labelled manually to match) file executed: -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t /testphp.app result: transition is made to context i_custom_t , nothing is audited Any idea what can cause this difference ? I don't believe this behavior is normal. By the way, if I allow the execute_no_trans on nfs_t, the file gets executed just fine but without the expected transition... Any help would be much appreciated ! -------------------------------------- David-Alexandre Davidson IHQ Inc. From spng.yang at gmail.com Fri Aug 3 05:10:27 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 03 Aug 2007 13:10:27 +0800 Subject: apache2 failing to start In-Reply-To: References: Message-ID: <46B2B8C3.8010602@gmail.com> Ubaidul Khan wrote: > Hello, > > We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I > could link php with Oracle Instant Client Libraries(oci). OCI is > installed under /opt with the following contexts: > > # ls -lZ > drwxr-xr-x root root system_u:object_r:usr_t oracle > > [root at saleen_webvm1 instant-client-10.1]# pwd > /opt/oracle/app/instant-client-10.1 > [root at saleen_webvm1 instant-client-10.1]# ls -alZ > drwxr-xr-x root root system_u:object_r:usr_t . > drwxr-xr-x root root system_u:object_r:usr_t .. > -rw-r--r-- root root system_u:object_r:usr_t classes12.jar > drwxr-xr-x root root system_u:object_r:usr_t docs > -rw-r--r-- root root system_u:object_r:usr_t glogin.sql > lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so > -rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1 > -rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so > lrwxrwxrwx root root system_u:object_r:usr_t libocci.so > -rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1 > -rwxr-xr-x root root system_u:object_r:usr_t libociei.so > -rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so > -rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so > -rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar > -rw-r--r-- root root system_u:object_r:usr_t README_IC.htm > drwxr-xr-x root root system_u:object_r:usr_t sdk > -rwxr-xr-x root root system_u:object_r:usr_t sqlplus > -rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora > > When try to start apache, I get some errors in audit.log and apache > fails to start. > > type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for > pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:system_r:httpd_t:s0 tclass=process > type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10 > success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0 > ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:httpd_t:s0 key=(null) > type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for > pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819 > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 > tclass=file > type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9 > success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 > pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:httpd_t:s0 key=(null) > type=AVC_PATH msg=audit(1186088202.755:61): > path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1" > > audit2allow is telling me to add the following rules: > > # audit2allow < audit.log > allow httpd_t self:process execstack; > allow httpd_t usr_t:file execute; > > My question/concerns are the following: > > 1. What risks do I incur by making the process stack executable? it will incur the security risk, such as buffer overflow. Stack memory is not executable on most OSes these days, and will not change. you can first use execstack to check whether your program really need executable stack(you must have prelink firstly): for example: #execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2 X libart_lgpl_2.so.2 and use execstack to remove the p_flags field of PT_GNU_STACK header entry, and run program to see whether it really need stack to be executable: execstack -c libart_lgpl_2.so.2 if yes, you also can use boolean to allow stack to be executed: setsebool [-P] allow_execstack 1 this will make all program stack executable, and there are still: allow_java_execstack,allow_mplayer_execstack use these booleans, you will not need write policy for executable stack. > 2. If I am reading the second rule correctly, its asking to allow > httpd_t to execute user_t files? i wonder why is your libraries usr_t, not lib_t, if your libs are lib_t, httpd_t can execute those files > > Thanks for your help > > _________________________________________________________________ > Now you can see trouble?efore he arrives > http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507 > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From spng.yang at gmail.com Fri Aug 3 07:03:31 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 03 Aug 2007 15:03:31 +0800 Subject: New resource for add in selinux.sf.net - Spanish Documentation In-Reply-To: <2b26c4260708021918s1a2894a3r6d00558a2524c6dd@mail.gmail.com> References: <2b26c4260708021918s1a2894a3r6d00558a2524c6dd@mail.gmail.com> Message-ID: <46B2D343.30904@gmail.com> Wilmer Jaramillo M. wrote: > We believe really important to begin only will writing selinux for > spanish speakers, > http://wiki.fedora-ve.org/SELinux/ should to be the link for to begin > and http://wiki.fedora-ve.org/SELinux/Tips just have more complete > information. > > > The wiki not apply any restriction if you want to join, to participate > in the SELinux Spanish Documentation. i don't understand spanish, but it seems good :-) > > Thanks for the attention. > From bjlongo at ncsu.edu Fri Aug 3 07:25:01 2007 From: bjlongo at ncsu.edu (bradley) Date: Fri, 03 Aug 2007 03:25:01 -0400 Subject: newrole? Message-ID: <46B2D84D.80209@ncsu.edu> I recently have decided I was going to play with selinux. Before I set the selinux value to enforcing I read up on it online and saw that to change my privileges I need to use the newrole command. It seemed simple enough, but I don't seem to have this command and there's also no man page on it. When I checked fedora forums some one had the same problem, and the only reply to it was to send an email here. Does anyone have any information that can help me out? I am using fedora 7 on a thinkpad T60 by the way. --Brad From spng.yang at gmail.com Fri Aug 3 07:54:58 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 03 Aug 2007 15:54:58 +0800 Subject: newrole? In-Reply-To: <46B2D84D.80209@ncsu.edu> References: <46B2D84D.80209@ncsu.edu> Message-ID: <46B2DF52.5070301@gmail.com> bradley wrote: > I recently have decided I was going to play with selinux. Before I set > the selinux value to enforcing I read up on it online and saw that to > change my privileges I need to use the newrole command. It seemed > simple enough, but I don't seem to have this command and there's also no > man page on it. When I checked fedora forums some one had the same > problem, and the only reply to it was to send an email here. Does > anyone have any information that can help me out? I am using fedora 7 > on a thinkpad T60 by the way. newrole is in policycoreutils-newrole package, which is installed with strict policy,i.e. selinux-policy-strict. in normal system, there are only selinux-policy-targeted, which need not newrole command. before selinux-policy-targeted-3.0, there is not role structure, so newrole is not necessary. strict policy is more strict than targeted policy, which will put normal user inconvenience. most of strict policy is used in special situation, such as military. > > --Brad > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From amarkelov at pluscom.ru Fri Aug 3 12:12:33 2007 From: amarkelov at pluscom.ru (Markelov Andrey) Date: Fri, 3 Aug 2007 16:12:33 +0400 Subject: Policycoreutils man pages translation to Russian language Message-ID: Hello, I translated all 20 man pages from policycoreutils to Russian language. Before that work I had some experiences with translation (as example translation to Russian RHEL4 doc in A.B.A. Inventa - http://www.rhd.ru/docs/). So, i hope that my translation - ok. Also, translation was checked by my colleague - RHCX. Is it possible to include translated pages in policycoreutils package? Also i open ticket #250741 in bugzilla. ____ Andrey Markelov Plus Communications Phone: +7(495)777-0-111 ext.533 From cpebenito at tresys.com Fri Aug 3 12:26:27 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 03 Aug 2007 12:26:27 +0000 Subject: [ANN] SETools 3.3 Release Message-ID: <1186143987.4015.111.camel@gorn.columbia.tresys.com> A new release of SETools is now available on the Tresys OSS site, from http://oss.tresys.com. The primary changes this release are performance enhancements, especially for source policies, the ability to select which AV rules are compared (allow and dontaudit only, for example) in sediff and sediffx, and a rewrite of libsefs with C++. The complete change log for this release follows. SETools 3.3: SETools: * SETools now has an external dependency upon libsqlite3 >= 3.2. The supplied configure script will enforce this dependency. * pkg-config scripts are installed with the SETools libraries. libsefs: * Rewrite of library to have proper namespaces and much more usable object-oriented design. * SWIG wrappers generated for this library if the appropriate configure flags are set. findcon, searchcon: * Merge searchcon's functionality into findcon. The searchcon tool has been removed from SETools. indexcon, replcon: * Updated to use new libsefs design. apol: * Updated to use new libsefs design. * Modified to use the SWIG Tcl interface rather than a custom C library. apol is now a combination of a Tcl script (simply called 'apol') and associated packages that are required at runtime. * Neverallow rules are only loaded and expanded when the user performs a search for them. This will dramatically speed up initial policy load time. awish: * awish is no longer needed and thus has been removed from SETools. sediff, sediffx: * Instead of differentiating "AV rules" or "TE rules", user now specifies which particular rule to compare (allow, dontaudit, type_transition, etc.). * Neverallow rules are only loaded and expanded when the user performs a diff upon them. This will dramatically speed up initial policy load time. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From selinux at gmail.com Fri Aug 3 14:03:13 2007 From: selinux at gmail.com (Tom London) Date: Fri, 3 Aug 2007 07:03:13 -0700 Subject: ldconfig AVCs ..... needs /var Message-ID: <4c4ba1530708030703u7b4a0166u98d648f84eb88282@mail.gmail.com> Today's Rawhide: targeted/enforcing/permissive. Today's 'yum update' of library packages that run 'ldconfig' produce: type=AVC msg=audit(1186149388.713:55): avc: denied { write } for pid=6019 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1186149388.713:55): arch=40000003 syscall=5 success=no exit=-13 a0=97443e0 a1=20241 a2=180 a3=97443e0 items=0 ppid=4587 pid=6019 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) Running in permissive mode: type=AVC msg=audit(1186149533.240:59): avc: denied { write } for pid=6055 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1186149533.240:59): avc: denied { add_name } for pid=6055 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1186149533.240:59): avc: denied { create } for pid=6055 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1186149533.240:59): arch=40000003 syscall=5 success=yes exit=3 a0=82c43e0 a1=20241 a2=180 a3=82c43e0 items=0 ppid=6051 pid=6055 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186149533.240:60): avc: denied { write } for pid=6055 comm="ldconfig" path="/var/cache/ldconfig/aux-cache~" dev=dm-0 ino=66583 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1186149533.240:60): arch=40000003 syscall=4 success=yes exit=48749 a0=3 a1=82e5a48 a2=be6d a3=82c43e0 items=0 ppid=6051 pid=6055 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186149533.241:61): avc: denied { remove_name } for pid=6055 comm="ldconfig" name="aux-cache~" dev=dm-0 ino=66583 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1186149533.241:61): avc: denied { rename } for pid=6055 comm="ldconfig" name="aux-cache~" dev=dm-0 ino=66583 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1186149533.241:61): arch=40000003 syscall=38 success=yes exit=0 a0=82c43e0 a1=80c5ef2 a2=3 a3=82c43e0 items=0 ppid=6051 pid=6055 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) tom -- Tom London From ukhanlists at hotmail.com Fri Aug 3 15:43:09 2007 From: ukhanlists at hotmail.com (Ubaidul Khan) Date: Fri, 03 Aug 2007 11:43:09 -0400 Subject: apache2 failing to start Message-ID: Ken, Thank you for your response. >you can first use execstack to check whether your program really need >executable stack(you must have prelink firstly): I checked to see if the library requires executable stack and execstack returns unknown(? - when it is unknown whether the object requires or doesn't require exe-cutable stack). # execstack -q libclntsh.so.10.1 ? libclntsh.so.10.1 I don't think it was prelinked since these libraries are distributed by oracle as binary files( all I did was downloaded the archive from oracle's website and extracted them into /opt/oracle/app/instant-client-10.1). Then I downloaded the php-5.1.6-11 SRPM and linked against the oci libraries in the following manner: configure \ --with-oci8=instantclient,/opt/oracle/app/instant-client-10.1/ >i wonder why is your libraries usr_t, not lib_t, if your libs are lib_t, >httpd_t can execute those files I think this happened because I made the directory path /opt/oracle/app/instant-client-10.1/ as root. This path inherited the default context. I imagine it would be more sensible to store the libraries in /usr/lib or /usr/lib64. I am still puzzled by the executable stack dilemma. I noticed this goes away, when disable selinux(setenforce 0). Look forward to your correspondence. >From: Ken YANG >To: Ubaidul Khan >CC: fedora-selinux-list at redhat.com >Subject: Re: apache2 failing to start >Date: Fri, 03 Aug 2007 13:10:27 +0800 > >Ubaidul Khan wrote: > > Hello, > > > > We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I > > could link php with Oracle Instant Client Libraries(oci). OCI is > > installed under /opt with the following contexts: > > > > # ls -lZ > > drwxr-xr-x root root system_u:object_r:usr_t oracle > > > > [root at saleen_webvm1 instant-client-10.1]# pwd > > /opt/oracle/app/instant-client-10.1 > > [root at saleen_webvm1 instant-client-10.1]# ls -alZ > > drwxr-xr-x root root system_u:object_r:usr_t . > > drwxr-xr-x root root system_u:object_r:usr_t .. > > -rw-r--r-- root root system_u:object_r:usr_t classes12.jar > > drwxr-xr-x root root system_u:object_r:usr_t docs > > -rw-r--r-- root root system_u:object_r:usr_t glogin.sql > > lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so > > -rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1 > > -rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so > > lrwxrwxrwx root root system_u:object_r:usr_t libocci.so > > -rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1 > > -rwxr-xr-x root root system_u:object_r:usr_t libociei.so > > -rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so > > -rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so > > -rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar > > -rw-r--r-- root root system_u:object_r:usr_t README_IC.htm > > drwxr-xr-x root root system_u:object_r:usr_t sdk > > -rwxr-xr-x root root system_u:object_r:usr_t sqlplus > > -rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora > > > > When try to start apache, I get some errors in audit.log and apache > > fails to start. > > > > type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for > > pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0 > > tcontext=user_u:system_r:httpd_t:s0 tclass=process > > type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10 > > success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0 > > ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > > subj=user_u:system_r:httpd_t:s0 key=(null) > > type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for > > pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819 > > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 > > tclass=file > > type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9 > > success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 > > pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > > subj=user_u:system_r:httpd_t:s0 key=(null) > > type=AVC_PATH msg=audit(1186088202.755:61): > > path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1" > > > > audit2allow is telling me to add the following rules: > > > > # audit2allow < audit.log > > allow httpd_t self:process execstack; > > allow httpd_t usr_t:file execute; > > > > My question/concerns are the following: > > > > 1. What risks do I incur by making the process stack executable? > >it will incur the security risk, such as buffer overflow. >Stack memory is not executable on most OSes these days, and >will not change. > >you can first use execstack to check whether your program >really need executable stack(you must have prelink firstly): > >for example: > >#execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2 >X libart_lgpl_2.so.2 > >and use execstack to remove the p_flags field of PT_GNU_STACK header >entry, and run program to see whether it really need stack to be >executable: > >execstack -c libart_lgpl_2.so.2 > >if yes, you also can use boolean to allow stack to be executed: > >setsebool [-P] allow_execstack 1 > >this will make all program stack executable, and there are still: > >allow_java_execstack,allow_mplayer_execstack > >use these booleans, you will not need write policy for executable >stack. > > > > 2. If I am reading the second rule correctly, its asking to allow > > httpd_t to execute user_t files? > >i wonder why is your libraries usr_t, not lib_t, if your libs are >lib_t, httpd_t can execute those files > > > > > Thanks for your help > > > > _________________________________________________________________ > > Now you can see trouble…before he arrives > > >http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507 > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > _________________________________________________________________ Now you can see trouble?before he arrives http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507 From selinux at gmail.com Fri Aug 3 16:36:09 2007 From: selinux at gmail.com (Tom London) Date: Fri, 3 Aug 2007 09:36:09 -0700 Subject: hald wants more .... Message-ID: <4c4ba1530708030936u720cad39l6298fe03ba195597@mail.gmail.com> Today's rawhide. Problems with hal starting. In enforcing mode get this: type=AVC msg=audit(1186156132.596:13): avc: denied { read } for pid=2994 comm="hald" name="reload" dev=dm-0 ino=67152 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1186156132.596:13): arch=40000003 syscall=292 success=no exit=-13 a0=d a1=5379f4 a2=106 a3=8c50d88 items=0 ppid=2993 pid=2994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) Believe the reference is to /var/lib/PolicyKit/reload. Bad things seem to happen with this reject. Rebooting in permissive mode: type=AVC msg=audit(1186158594.486:18): avc: denied { read } for pid=2920 comm="hald" name="reload" dev=dm-0 ino=67152 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1186158594.486:18): arch=40000003 syscall=292 success=yes exit=1 a0=d a1=5379f4 a2=106 a3=9ae4d88 items=0 ppid=2919 pid=2920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1186158599.790:19): avc: denied { signal } for pid=2934 comm="hal-acl-tool" scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=process type=SYSCALL msg=audit(1186158599.790:19): arch=40000003 syscall=270 success=yes exit=0 a0=b76 a1=b76 a2=6 a3=bf81ad5c items=0 ppid=2921 pid=2934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) type=ANOM_ABEND msg=audit(1186158599.791:20): auid=4294967295 uid=0 gid=0 subj=system_u:system_r:hald_acl_t:s0 pid=2934 comm="hal-acl-tool" sig=6 System is happier (NetworkManager seems to work, etc.) tom -- Tom London From dwalsh at redhat.com Fri Aug 3 19:27:14 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Aug 2007 15:27:14 -0400 Subject: Need help with SELinux and SGE/ssh In-Reply-To: References: Message-ID: <46B38192.5050501@redhat.com> Orion Poplawski wrote: > I'm running Sun Grid Engine on a CentOS 5 cluster and am having > trouble with SELinux preventing the proper setup of parallel > environments. Turning SELinux off allows everything to work properly. > > The problem seems to be when SGE tries to use ssh to login to a remote > machine. As part of this process, it starts up a private sshd daemon > to handle the connection. The relevant error appears to be: > > type=USER_LOGIN msg=audit(1186001097.981:19489): user pid=12066 uid=0 > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct=steph: > exe="/usr/sbin/sshd" (hostname=?, addr=192.168.0.120, terminal=sshd > res=failed)' > type=USER_ROLE_CHANGE msg=audit(1186001098.201:19491): user pid=12066 > uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='sshd: > default-context=user_u:system_r:unconfined_t:s0 > selected-context=user_u:system_r:unconfined_t:s0-s0:c0.c1023: > exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=failed)' > > sshd reports: > Aug 1 14:44:58 coop00 sshd[12066]: error: deny MLS level > SystemLow-SystemHigh (user range s0). Continuing in permissive mode > > I'm at a loss here. Can anyone explain what is going on and what is > failing? How can I make it work without running in permissive mode? > > Thanks! > What context is your sshd running under? Normal sshd runs under system_u:system_r:sshd_t:SystemLow-SystemHigh I think you might be having a problem if you sshd is only running at s0 and trying to log people in at SystemLow-SystemHigh. From dwalsh at redhat.com Fri Aug 3 19:28:39 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Aug 2007 15:28:39 -0400 Subject: Enabling the strict policy on Fedora 7 In-Reply-To: References: Message-ID: <46B381E7.8080108@redhat.com> Patrick McNeal wrote: > I'm new to SELinux, and have been banging my head against the wall on > how to change from the targeted to the strict policy on my Fedora 7 > box. I just figured out how to do it, and thought that it would be a > good thing to have in the archive so others might more easily find a > solution. > > 1 - Install the strict policy using the package manager. I used > selinux-policy-strict-2.6.4-29.fc.noarch. > 2 - Using the SELinux Administration tool, set the "system default > policy type" to "strict". > 3 - Set the "system default enforcing mode" to "permissive". > 4 - Check "Relabel on next reboot". > 3 - Reboot > > If you leave enforcing mode set to the default of "enforcing" you'll > get this error on reboot: > > /sbin/init: error while loading shared libraries: libsepol.so.1: > failed to map segment from shared object: Permission denied > Kernel panic - not syncing: Attempted to kill init! > > Note, you can also make these changes via the command line by editing > /etc/selinux/config, setup a relabel by touching /.autorelabel and > rebooting. > > Hope that helps someone. > > --Patrick > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You need to boot first in permissive mode to allow relabeling to happen, then reboot in enforcing mode. Or just setenforce 1 after the first boot. At the kernel boot line you can just enter enforcing=0 to boot in permissive mode. From dwalsh at redhat.com Fri Aug 3 20:12:47 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Aug 2007 16:12:47 -0400 Subject: Need help with SELinux and SGE/ssh In-Reply-To: <46B387AF.9070209@cora.nwra.com> References: <46B38192.5050501@redhat.com> <46B387AF.9070209@cora.nwra.com> Message-ID: <46B38C3F.3000302@redhat.com> Orion Poplawski wrote: > Daniel J Walsh wrote: >> What context is your sshd running under? >> Normal sshd runs under >> >> system_u:system_r:sshd_t:SystemLow-SystemHigh >> >> I think you might be having a problem if you sshd is only running at >> s0 and trying to log people in at >> SystemLow-SystemHigh. > > Well, in permissive mode it ends up like: > > root:system_r:unconfined_t:SystemLow-SystemHigh orion 7737 7732 0 > 13:45 ? 00:00:00 sshd: orion at notty > > But this is after login. I'm not sure there's a good way to tell what > it is before the login completes though - unless the error messages > indicate that it is running in s0. > > How can I make sure that it is running at SystemLow-SystemHigh to > start with? Get the SGE daemons running in that mode so that children > inherit that? > Or setup a transition from the SGE Daemons to sshd_t:s0-SystemHigh From mark.rowe at btinternet.com Sat Aug 4 12:08:48 2007 From: mark.rowe at btinternet.com (MARK ROWE) Date: Sat, 4 Aug 2007 12:08:48 +0000 (GMT) Subject: selinux-policy-targeted no src directory ? Message-ID: <48648.97579.qm@web86010.mail.ird.yahoo.com> Hi All, Please can someone suggest a solution to the following, I am not that familiar with Linux and have been tasked to re-configure 2 existing servers that cannot be upgraded due to company policy etc: I have 2 servers running MySQL on Fedora Core 4 and need to set them up for master/slave replication. This I have done but have found that SELinux is stopping the mysqld on the slave from making a network connection to the master. I downloaded selinux-policy-targeted-1.23.16-6.noarch.rpm and installed it with no errors reported but it failed to create the /etc/selinux/targeted/src directory. I tried several times at installing the package but each time it failed to create the right directories. Can anyone suggest how I can get this installed correctly or how I can get SELinux to allow mysqld network connection without it? Regards, Mark. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmz at pobox.com Sat Aug 4 19:45:57 2007 From: tmz at pobox.com (Todd Zullinger) Date: Sat, 4 Aug 2007 15:45:57 -0400 Subject: ldconfig denials during mock builds Message-ID: <20070804194557.GB23832@psilocybe.teonanacatl.org> Hi, I recently noticed some problems when building packages for rawhide with mock. The mock logs have a log of these: /sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied error: %postun(glibc-2.6-4.i686) scriptlet failed, exit status 1 The audit messages look like this: avc: denied { read } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="lib" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0 avc: denied { write } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="etc" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0 I'm guessing this has to do with the contexts on etc: $ ll -dZ /etc/ /var/lib/mock/fedora-development-i386/root/etc/ drwxr-xr-x root root system_u:object_r:etc_t /etc/ drwxrwsr-x build mock user_u:object_r:var_lib_t /var/lib/mock/fedora-development-i386/root/etc/ Is this something that needs to be fixed in mock or in the selinux policy? Thanks, -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When I think about all the crap I learned in high school ... it's a wonder I can think at all. -- Paul Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From paul at city-fan.org Mon Aug 6 09:08:16 2007 From: paul at city-fan.org (Paul Howarth) Date: Mon, 06 Aug 2007 10:08:16 +0100 Subject: ldconfig denials during mock builds In-Reply-To: <20070804194557.GB23832@psilocybe.teonanacatl.org> References: <20070804194557.GB23832@psilocybe.teonanacatl.org> Message-ID: <46B6E500.9010607@city-fan.org> Todd Zullinger wrote: > Hi, > > I recently noticed some problems when building packages for rawhide > with mock. The mock logs have a log of these: > > /sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied > error: %postun(glibc-2.6-4.i686) scriptlet failed, exit status 1 > > The audit messages look like this: > > avc: denied { read } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="lib" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0 > > avc: denied { write } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="etc" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0 > > I'm guessing this has to do with the contexts on etc: > > $ ll -dZ /etc/ /var/lib/mock/fedora-development-i386/root/etc/ > drwxr-xr-x root root system_u:object_r:etc_t /etc/ > drwxrwsr-x build mock user_u:object_r:var_lib_t /var/lib/mock/fedora-development-i386/root/etc/ > > Is this something that needs to be fixed in mock or in the selinux > policy? Is your buildsys also running on rawhide? Are you not using the mock policy module from http://fedoraproject.org/wiki/PackageMaintainers/MockTricks ? Paul. From tmz at pobox.com Mon Aug 6 18:10:46 2007 From: tmz at pobox.com (Todd Zullinger) Date: Mon, 6 Aug 2007 14:10:46 -0400 Subject: ldconfig denials during mock builds In-Reply-To: <46B6E500.9010607@city-fan.org> References: <20070804194557.GB23832@psilocybe.teonanacatl.org> <46B6E500.9010607@city-fan.org> Message-ID: <20070806181045.GA26040@psilocybe.teonanacatl.org> Paul Howarth wrote: > Is your buildsys also running on rawhide? No, sorry for not including the details. I'm running F7 and building packages in mock for rawhide. I haven't tested whether building packages for F7 or another version causes this as well, since noticing it. It just started happening recently, AFAICT. I'll have to test a few more packages and see if they all cause it. (It may require the mock chroot to be updated, though the way rawhide churns that should happen on a daily basis. :) > Are you not using the mock policy module from > http://fedoraproject.org/wiki/PackageMaintainers/MockTricks ? No, I'm not. I hadn't noticed a need to use the mock module previously. Thanks for pointing it out though. Is it likely to be necessary in most cases? I've built packages for rawhide in mock on F7 previously without needing the module or getting these errors. The apparent change in behavior seemed like a possible indication of some other problem. Thanks, -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I have to decide between two equally frightening options. If I wanted to do that, I'd vote. -- Duckman -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From kaigai at ak.jp.nec.com Tue Aug 7 03:56:59 2007 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Tue, 07 Aug 2007 12:56:59 +0900 Subject: MLS/MCS disabled in building a policy module Message-ID: <46B7ED8B.6060506@ak.jp.nec.com> When I built a policy module with the latest selinux-policy-devel (3.0.5-1), the Makefile didn't enable the MLS/MCS switch. We had to add "TYPE=mcs" option to avoid the problem. ---------------- [kaigai at masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile Compiling targted sepostgresql module /usr/bin/checkmodule: loading policy configuration from tmp/sepostgresql.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/sepostgresql.mod Creating targted sepostgresql.pp policy package rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod [kaigai at masu policy]$ su Password: [root at masu policy]# /usr/sbin/semodule -i sepostgresql.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed! [root at masu policy]# ---------------- I found the following differences between 3.0.4-1 and 3.0.5-1. ---------------- # enable MLS if requested. -ifneq ($(findstring -mls,$(TYPE)),) +ifeq "$(TYPE)" "mls" M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M endif # enable MLS if MCS requested. -ifneq ($(findstring -mcs,$(TYPE)),) +ifeq "$(TYPE)" "mcs" M4PARAM += -D enable_mcs CHECKPOLICY += -M CHECKMODULE += -M ---------------- Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in /usr/share/selinux/devel/Makefile, the above blocks are skipped, then MLS/MCS is disabled. I think the above blocks should be reverted. -- OSS Platform Development Division, NEC KaiGai Kohei From paul at city-fan.org Tue Aug 7 07:03:45 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 7 Aug 2007 08:03:45 +0100 Subject: ldconfig denials during mock builds In-Reply-To: <20070806181045.GA26040@psilocybe.teonanacatl.org> References: <20070804194557.GB23832@psilocybe.teonanacatl.org> <46B6E500.9010607@city-fan.org> <20070806181045.GA26040@psilocybe.teonanacatl.org> Message-ID: <20070807080345.4cd59644@metropolis.intra.city-fan.org> On Mon, 6 Aug 2007 14:10:46 -0400 Todd Zullinger wrote: > Paul Howarth wrote: > > Is your buildsys also running on rawhide? > > No, sorry for not including the details. I'm running F7 and building > packages in mock for rawhide. I haven't tested whether building > packages for F7 or another version causes this as well, since noticing > it. It just started happening recently, AFAICT. I'll have to test a > few more packages and see if they all cause it. (It may require the > mock chroot to be updated, though the way rawhide churns that should > happen on a daily basis. :) > > > Are you not using the mock policy module from > > http://fedoraproject.org/wiki/PackageMaintainers/MockTricks ? > > No, I'm not. I hadn't noticed a need to use the mock module > previously. Thanks for pointing it out though. Is it likely to be > necessary in most cases? > > I've built packages for rawhide in mock on F7 previously without > needing the module or getting these errors. The apparent change in > behavior seemed like a possible indication of some other problem. I wrote the module back in FC5 times when SELinux prevented builds of mono-based packages in mock with the default setup, and it's "just worked" ever since. I'm building packages for rawhide in mock on an F7 host and I'm not seeing these issues, so I think it's worth a try. SELinux and chroots don't mix terribly well really, at least for large chroots like mock uses. Paul. From selinux at gmail.com Tue Aug 7 13:48:16 2007 From: selinux at gmail.com (Tom London) Date: Tue, 7 Aug 2007 06:48:16 -0700 Subject: ldconfig_t - still more .... ? Message-ID: <4c4ba1530708070648s197f50edq5b18c67a71947795@mail.gmail.com> Running selinux-policy-3.0.5-2.fc8, targeted/enforcing. Says: "- Fixes for ldconfig" but, get these during 'yum update'. 'restorecon' of /var/cache/ldconfig doesn't change .... type=AVC msg=audit(1186493561.393:26): avc: denied { search } for pid=4210 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1186493561.393:26): arch=40000003 syscall=5 success=no exit=-13 a0=80c5a92 a1=0 a2=3 a3=0 items=0 ppid=4209 pid=4210 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186493561.572:27): avc: denied { getattr } for pid=4210 comm="ldconfig" path="/var/cache/ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1186493561.572:27): arch=40000003 syscall=195 success=no exit=-13 a0=bfde8600 a1=bfde8658 a2=bfde8613 a3=8fd3080 items=0 ppid=4209 pid=4210 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) Putting in permissive mode adds: type=SYSCALL msg=audit(1186493569.650:32): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfb7f5d4 a2=1 a3=bfb7f5d4 items=0 ppid=4222 pid=4263 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="setenforce" exe="/usr/sbin/setenforce" subj=system_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1186493600.964:33): avc: denied { search } for pid=4290 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1186493600.964:33): arch=40000003 syscall=5 success=yes exit=3 a0=80c5a92 a1=0 a2=3 a3=0 items=0 ppid=4271 pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186493601.234:34): avc: denied { getattr } for pid=4290 comm="ldconfig" path="/var/cache/ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1186493601.234:34): arch=40000003 syscall=195 success=yes exit=0 a0=bfd35ad0 a1=bfd35b28 a2=bfd35ae3 a3=8d77940 items=0 ppid=4271 pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186493601.234:35): avc: denied { write } for pid=4290 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir type=AVC msg=audit(1186493601.234:35): avc: denied { add_name } for pid=4290 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1186493601.234:35): arch=40000003 syscall=5 success=yes exit=3 a0=8d77940 a1=20241 a2=180 a3=8d77940 items=0 ppid=4271 pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186493601.235:36): avc: denied { remove_name } for pid=4290 comm="ldconfig" name="aux-cache~" dev=dm-0 ino=66343 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1186493601.235:36): arch=40000003 syscall=38 success=yes exit=0 a0=8d77940 a1=80c5a92 a2=3 a3=8d77940 items=0 ppid=4271 pid=4290 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) tom -- Tom London From hal_bg at yahoo.com Tue Aug 7 16:48:47 2007 From: hal_bg at yahoo.com (Hal) Date: Tue, 7 Aug 2007 09:48:47 -0700 (PDT) Subject: Strict policy on FC6 and F7 In-Reply-To: <46B381E7.8080108@redhat.com> Message-ID: <134849.44708.qm@web32207.mail.mud.yahoo.com> Hallo After a problem with the strict policy in FC6: firefox does not start under strict policy. No messages at all. I decided to check if firefox under strict policy on F7 works. I have installed F7 and enabled strict policy. But from now on I can no longer login in enforcing is on . When I enter username and password and I get permission denied even for root in GDM. In console I just get new "username" prompt. I do not understand why firefox does not start in fc6 and can not longin on F7 under strict policy? What might be wrong? Hal ____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz From elihusmails at gmail.com Tue Aug 7 17:56:51 2007 From: elihusmails at gmail.com (Mark) Date: Tue, 7 Aug 2007 13:56:51 -0400 Subject: beginner to SE Linux policy In-Reply-To: <7b740b700707280714u72d59b83j3f6c3065d15e2b79@mail.gmail.com> References: <9f066ee90707271204p2bfe6da7k4f8f50798c50c2e8@mail.gmail.com> <7b740b700707280714u72d59b83j3f6c3065d15e2b79@mail.gmail.com> Message-ID: <9f066ee90708071056j74618a8akd860ef084f055243@mail.gmail.com> Thanks for the help. I just want to become more familiar with SE Linux and understand the context of the te, fe, if..etc files and how I can modify them so that my programs are more secure. There just seems to be alot of information that may or may not be related in order to help me. For instance, there is the seedit tools, SLIDE and RedHat tools available. Also, which is a better distribution to learn SE Linux, CentOS or Fedora Core? I am an application developer who really just needs to learn how to write policies for the programs I am developing. Things like policies, domains and domain transition are important areas I really want to learn. Thanks for the help. PS. I ordered the SE Linux by Example yesterday! -- ..Cheers Mark On 7/28/07, shahbaz khan wrote: > > Mark > > Selinux by example is the best answer to ur stated problem. NSA documents > will give u a good background because things have been changing alot. Do not > miss tresys' reference policy and policy managemnt server. U can get more > info about it from tresys' website. Once u start to get aquainted with > selinux this mailing list will be more useful to u. Also join fedora selinux > mailing list. > > I am not sure which policy analysis tool will be more useful to u. Why > dont u right a more specific question to this list w.r.t. policy analysis > tools. U might get good answers from selinux by example. > > Shaz. > > > > > On 7/28/07, Mark wrote: > > > > I have seen programs that will help me to edit and analyze SE Linux > > policies. What I am interested in is a resource that will help me > > understand what a policy does and how to write them. At least for me, > > learning at the code level and not using GUI tools helps me to understand > > things better. > > > > So what resources are out there for me to start looking at? > > > > Thanks in advance. > > Mark > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Tue Aug 7 19:19:07 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 07 Aug 2007 15:19:07 -0400 Subject: beginner to SE Linux policy In-Reply-To: <9f066ee90708071056j74618a8akd860ef084f055243@mail.gmail.com> References: <9f066ee90707271204p2bfe6da7k4f8f50798c50c2e8@mail.gmail.com> <7b740b700707280714u72d59b83j3f6c3065d15e2b79@mail.gmail.com> <9f066ee90708071056j74618a8akd860ef084f055243@mail.gmail.com> Message-ID: <1186514347.26457.114.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-08-07 at 13:56 -0400, Mark wrote: > Thanks for the help. I just want to become more familiar with SE > Linux and understand the context of the te, fe, if..etc files and how > I can modify them so that my programs are more secure. There just > seems to be alot of information that may or may not be related in > order to help me. For instance, there is the seedit tools, SLIDE and > RedHat tools available. Also, which is a better distribution to learn > SE Linux, CentOS or Fedora Core? Fedora Core tracks the latest SELinux developments more closely. The reference policy documentation should help you, online at http://oss.tresys.com/projects/refpolicy/wiki/Documentation and if you have selinux-policy installed, locally available docs under /usr/share/doc/selinux-policy-x.y.z/. SLIDE is an eclipse plugin that leverages reference policy and provides the typical IDE-style auto-completion, interface lookup, wizards for constructing domains, etc. Useful if you are ok working in an IDE. SEEdit is more about hiding the underlying abstractions and presenting a very simple UI. Requires switching to its own policy entirely, away from the stock policy. > I am an application developer who really just needs to learn how to > write policies for the programs I am developing. Things like > policies, domains and domain transition are important areas I really > want to learn. There are a number of resources, e.g. see http://selinux.sourceforge.net/resources.php3 , but many of them predate the reference policy. Reference policy documentation and SLIDE are your best bets right now, along with the book. -- Stephen Smalley National Security Agency From elihusmails at gmail.com Tue Aug 7 19:29:57 2007 From: elihusmails at gmail.com (Mark) Date: Tue, 7 Aug 2007 15:29:57 -0400 Subject: beginner to SE Linux policy In-Reply-To: <1186514347.26457.114.camel@moss-spartans.epoch.ncsc.mil> References: <9f066ee90707271204p2bfe6da7k4f8f50798c50c2e8@mail.gmail.com> <7b740b700707280714u72d59b83j3f6c3065d15e2b79@mail.gmail.com> <9f066ee90708071056j74618a8akd860ef084f055243@mail.gmail.com> <1186514347.26457.114.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <9f066ee90708071229y1e13259cned89f25185b0a01@mail.gmail.com> Thank you for the information. I will continue working with the reference policy and reading the information you provided. -- ..Cheers Mark On 8/7/07, Stephen Smalley wrote: > > On Tue, 2007-08-07 at 13:56 -0400, Mark wrote: > > Thanks for the help. I just want to become more familiar with SE > > Linux and understand the context of the te, fe, if..etc files and how > > I can modify them so that my programs are more secure. There just > > seems to be alot of information that may or may not be related in > > order to help me. For instance, there is the seedit tools, SLIDE and > > RedHat tools available. Also, which is a better distribution to learn > > SE Linux, CentOS or Fedora Core? > > Fedora Core tracks the latest SELinux developments more closely. > > The reference policy documentation should help you, online at > http://oss.tresys.com/projects/refpolicy/wiki/Documentation and if you > have selinux-policy installed, locally available docs > under /usr/share/doc/selinux-policy-x.y.z/. > > SLIDE is an eclipse plugin that leverages reference policy and provides > the typical IDE-style auto-completion, interface lookup, wizards for > constructing domains, etc. Useful if you are ok working in an IDE. > > SEEdit is more about hiding the underlying abstractions and presenting a > very simple UI. Requires switching to its own policy entirely, away > from the stock policy. > > > I am an application developer who really just needs to learn how to > > write policies for the programs I am developing. Things like > > policies, domains and domain transition are important areas I really > > want to learn. > > There are a number of resources, e.g. see > http://selinux.sourceforge.net/resources.php3 , but many of them predate > the reference policy. Reference policy documentation and SLIDE are your > best bets right now, along with the book. > > -- > Stephen Smalley > National Security Agency > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shin216 at xf7.so-net.ne.jp Tue Aug 7 21:27:16 2007 From: shin216 at xf7.so-net.ne.jp (shintaro_fujiwara) Date: Wed, 08 Aug 2007 06:27:16 +0900 Subject: Strict policy on FC6 and F7 In-Reply-To: <134849.44708.qm@web32207.mail.mud.yahoo.com> References: <134849.44708.qm@web32207.mail.mud.yahoo.com> Message-ID: <1186522036.4015.12.camel@notepc.intrajp-yokosuka.co.jp> 2007-08-07 (?) ? 09:48 -0700 ? Hal ????????: > Hallo > > After a problem with the strict policy in FC6: firefox does not start under > strict policy. No messages at all. I decided to check if firefox under strict > policy on F7 works. > I have installed F7 and enabled strict policy. But from now on I can no longer > login in enforcing is on . When I enter username and password and I get > permission denied even for root in GDM. In console I just get new "username" > prompt. > > I do not understand why firefox does not start in fc6 and > can not longin on F7 under strict policy? > > What might be wrong? > Because, now you're in enforcing mode, please disable SELinux and login. Install devel policy. #yum install selinux-policy-devel Please install this module. #vim local.te module local 1.0; require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create read }; } logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t) #make -f /usr/share/selinux/devel/Makefile local.pp #semodule -i local.pp #semodule -l|grep local Set SELinux enforcing. Did it work? > Hal > > > > > > ____________________________________________________________________________________ > Luggage? GPS? Comic books? > Check out fitting gifts for grads at Yahoo! Search > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From michal at logix.cz Wed Aug 8 00:30:39 2007 From: michal at logix.cz (Michal Ludvig) Date: Wed, 08 Aug 2007 12:30:39 +1200 Subject: Can't run OpenVPN from /etc/init.d/openvpn Message-ID: <46B90EAF.2040003@logix.cz> Hi all, I have a fresh install of RHEL5 (x86) with OpenVPN 2.0.9 and its dependent liblzo2 2.02 from RPMforge.net. With SElinux disabled everything works nicely. However with SElinux enabled in enforcing targeted mode I can't run OpenVPN via /etc/init.d/openvpn: ~# /etc/init.d/openvpn start Starting openvpn: /usr/sbin/openvpn: error while loading shared libraries: liblzo2.so.2: cannot enable executable stack as shared object requires: Permission denied [FAILED] At that time two new records appear in /var/log/audit/audit.log: type=AVC msg=audit(1186574630.135:162): avc: denied { execstack } for pid=18563 comm="openvpn" scontext=root:system_r:openvpn_t:s0 tcontext=root:system_r:openvpn_t:s0 tclass=process type=SYSCALL msg=audit(1186574630.135:162): arch=40000003 syscall=125 success=no exit=-13 a0=bfb66000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=18553 pid=18563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null) When I pass them to audit2allow I get: allow openvpn_t self:process execstack; So I did "audit2allow -M local && semodule -i local.pp" to enable it, but still no luck. "/etc/init.d/openvpn start" still fails with the above error about being unable to load liblzo2.so.2. ~# ls -Z /etc/init.d/openvpn /usr/sbin/openvpn /usr/lib/liblzo2.so.2* system_u:object_r:initrc_exec_t /etc/init.d/openvpn system_u:object_r:openvpn_exec_t /usr/sbin/openvpn system_u:object_r:lib_t /usr/lib/liblzo2.so.2.0.0 system_u:object_r:lib_t /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0 Interesting thing is that when I manually run /usr/sbin/openvpn it works fine: ~# /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/vpn.conf Thu Aug 9 00:25:24 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007 [...] Thu Aug 9 00:25:25 2007 TCPv4_CLIENT link local: [undef] Thu Aug 9 00:25:25 2007 TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx Thu Aug 9 00:25:28 2007 Peer Connection Initiated with xxx.xxx.xxx.xxx What should I do to make it work from /etc/init.d on system boot as well? Thanks! Michal From wolfy at nobugconsulting.ro Wed Aug 8 00:45:33 2007 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Wed, 08 Aug 2007 03:45:33 +0300 Subject: Can't run OpenVPN from /etc/init.d/openvpn In-Reply-To: <46B90EAF.2040003@logix.cz> References: <46B90EAF.2040003@logix.cz> Message-ID: <46B9122D.5050203@nobugconsulting.ro> On 08/08/2007 03:30 AM, Michal Ludvig wrote: > Hi all, > > I have a fresh install of RHEL5 (x86) with OpenVPN 2.0.9 and its > dependent liblzo2 2.02 from RPMforge.net. > > With SElinux disabled everything works nicely. However with SElinux > enabled in enforcing targeted mode I can't run OpenVPN via > /etc/init.d/openvpn: > > ~# /etc/init.d/openvpn start > Starting openvpn: /usr/sbin/openvpn: error while loading shared > libraries: liblzo2.so.2: cannot enable executable stack as shared > object requires: Permission denied > [FAILED] > > At that time two new records appear in /var/log/audit/audit.log: > > type=AVC msg=audit(1186574630.135:162): avc: denied { execstack } > for pid=18563 comm="openvpn" scontext=root:system_r:openvpn_t:s0 > tcontext=root:system_r:openvpn_t:s0 tclass=process > > type=SYSCALL msg=audit(1186574630.135:162): arch=40000003 syscall=125 > success=no exit=-13 a0=bfb66000 a1=1000 a2=1000007 a3=fffff000 items=0 > ppid=18553 pid=18563 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts2 comm="openvpn" exe="/usr/sbin/openvpn" > subj=root:system_r:openvpn_t:s0 key=(null) > > When I pass them to audit2allow I get: > > allow openvpn_t self:process execstack; > > So I did "audit2allow -M local && semodule -i local.pp" to enable it, > but still no luck. "/etc/init.d/openvpn start" still fails with the > above error about being unable to load liblzo2.so.2. > > ~# ls -Z /etc/init.d/openvpn /usr/sbin/openvpn /usr/lib/liblzo2.so.2* > system_u:object_r:initrc_exec_t /etc/init.d/openvpn > system_u:object_r:openvpn_exec_t /usr/sbin/openvpn > system_u:object_r:lib_t /usr/lib/liblzo2.so.2.0.0 > system_u:object_r:lib_t /usr/lib/liblzo2.so.2 -> liblzo2.so.2.0.0 > > Interesting thing is that when I manually run /usr/sbin/openvpn it > works fine: > > ~# /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/vpn.conf > Thu Aug 9 00:25:24 2007 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] > [LZO] [EPOLL] built on Mar 8 2007 > [...] > Thu Aug 9 00:25:25 2007 TCPv4_CLIENT link local: [undef] > Thu Aug 9 00:25:25 2007 TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx > Thu Aug 9 00:25:28 2007 Peer Connection Initiated with xxx.xxx.xxx.xxx > > What should I do to make it work from /etc/init.d on system boot as well? I've had a similar problem some time ago. Rather then punching an additional hole in selinux, I switched to the openvpn package from EPEL. From michal at logix.cz Wed Aug 8 01:41:13 2007 From: michal at logix.cz (Michal Ludvig) Date: Wed, 08 Aug 2007 13:41:13 +1200 Subject: Can't run OpenVPN from /etc/init.d/openvpn In-Reply-To: <46B9122D.5050203@nobugconsulting.ro> References: <46B90EAF.2040003@logix.cz> <46B9122D.5050203@nobugconsulting.ro> Message-ID: <46B91F39.6010705@logix.cz> Manuel Wolfshant wrote: > On 08/08/2007 03:30 AM, Michal Ludvig wrote: >> Hi all, >> >> I have a fresh install of RHEL5 (x86) with OpenVPN 2.0.9 and its >> dependent liblzo2 2.02 from RPMforge.net. >> >> With SElinux disabled everything works nicely. However with SElinux >> enabled in enforcing targeted mode I can't run OpenVPN via >> /etc/init.d/openvpn: >> >> ~# /etc/init.d/openvpn start >> Starting openvpn: /usr/sbin/openvpn: error while loading shared >> libraries: liblzo2.so.2: cannot enable executable stack as shared >> object requires: Permission denied >> [FAILED] >>[...] >> >> What should I do to make it work from /etc/init.d on system boot as well? > I've had a similar problem some time ago. Rather then punching an > additional hole in selinux, I switched to the openvpn package from EPEL. Thanks for a hint. I'd eventually resort to EPEL if I couldn't make the package from rpm forge work. I take it however as a SElinux learning opportunity so I'd appreciate any hints or explanations on the problem I described as well. Thanks! Michal From lshoujun at yahoo.com Wed Aug 8 09:11:30 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Wed, 8 Aug 2007 02:11:30 -0700 (PDT) Subject: Strict policy on FC6 and F7 Message-ID: <601030.88994.qm@web34806.mail.mud.yahoo.com> Hi, I'm trying to enable strict policy on fc7, need to do this too. But i got this error when I tried to compile the module [root at localhost local_module_for_login]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:10:ERROR 'unknown class capability used in rule' at token ';' on line 80642: #line 10 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1 Thanks & Rgds, Louis ----- Original Message ---- From: shintaro_fujiwara To: Hal ; fedora-selinux-list at redhat.com Sent: Tuesday, August 7, 2007 5:27:16 PM Subject: Re: Strict policy on FC6 and F7 2007-08-07 (?) ? 09:48 -0700 ? Hal ????????: > Hallo > > After a problem with the strict policy in FC6: firefox does not start under > strict policy. No messages at all. I decided to check if firefox under strict > policy on F7 works. > I have installed F7 and enabled strict policy. But from now on I can no longer > login in enforcing is on . When I enter username and password and I get > permission denied even for root in GDM. In console I just get new "username" > prompt. > > I do not understand why firefox does not start in fc6 and > can not longin on F7 under strict policy? > > What might be wrong? > Because, now you're in enforcing mode, please disable SELinux and login. Install devel policy. #yum install selinux-policy-devel Please install this module. #vim local.te module local 1.0; require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create read }; } logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t) #make -f /usr/share/selinux/devel/Makefile local.pp #semodule -i local.pp #semodule -l|grep local Set SELinux enforcing. Did it work? > Hal > > > > > > ____________________________________________________________________________________ > Luggage? GPS? Comic books? > Check out fitting gifts for grads at Yahoo! Search > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From hal_bg at yahoo.com Wed Aug 8 09:57:39 2007 From: hal_bg at yahoo.com (Hal) Date: Wed, 8 Aug 2007 02:57:39 -0700 (PDT) Subject: Strict policy on FC6 and F7 In-Reply-To: <601030.88994.qm@web34806.mail.mud.yahoo.com> Message-ID: <867081.76182.qm@web32207.mail.mud.yahoo.com> Hi So far it did not work. This is what I get: [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'syntax error' at token 'logging_send_audit_msg' on line 81076: logging_send_audit_msg(local_login_t) } /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1 Hal --- Louis Lam wrote: > Hi, > > I'm trying to enable strict policy on fc7, need to do this too. But i got > this error when I tried to compile the module > > [root at localhost local_module_for_login]# make -f > /usr/share/selinux/devel/Makefile local.pp > Compiling targeted local module > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > local.te:10:ERROR 'unknown class capability used in rule' at token ';' on > line 80642: > #line 10 > allow local_login_t self:capability audit_write; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/local.mod] Error 1 > > Thanks & Rgds, > Louis > > ----- Original Message ---- > From: shintaro_fujiwara > To: Hal ; fedora-selinux-list at redhat.com > Sent: Tuesday, August 7, 2007 5:27:16 PM > Subject: Re: Strict policy on FC6 and F7 > > 2007-08-07 (??) ?? 09:48 -0700 ?? Hal ????????????????: > > Hallo > > > > After a problem with the strict policy in FC6: firefox does not start under > > strict policy. No messages at all. I decided to check if firefox under > strict > > policy on F7 works. > > I have installed F7 and enabled strict policy. But from now on I can no > longer > > login in enforcing is on . When I enter username and password and I get > > permission denied even for root in GDM. In console I just get new > "username" > > prompt. > > > > I do not understand why firefox does not start in fc6 and > > can not longin on F7 under strict policy? > > > > What might be wrong? > > Because, now you're in enforcing mode, > please disable SELinux and login. > Install devel policy. > > #yum install selinux-policy-devel > > Please install this module. > > #vim local.te > > module local 1.0; > > require { > type local_login_t; > class netlink_audit_socket { append bind connect shutdown ioctl > getattr > setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create > read }; > } > > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > #make -f /usr/share/selinux/devel/Makefile local.pp > #semodule -i local.pp > #semodule -l|grep local > > Set SELinux enforcing. > > Did it work? > > > > Hal > > > > > > > > > > > > > ____________________________________________________________________________________ > > Luggage? GPS? Comic books? > > Check out fitting gifts for grads at Yahoo! Search > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting From shin216 at xf7.so-net.ne.jp Wed Aug 8 11:25:36 2007 From: shin216 at xf7.so-net.ne.jp (shintaro_fujiwara) Date: Wed, 08 Aug 2007 20:25:36 +0900 Subject: Strict policy on FC6 and F7 In-Reply-To: <601030.88994.qm@web34806.mail.mud.yahoo.com> References: <601030.88994.qm@web34806.mail.mud.yahoo.com> Message-ID: <1186572337.3108.8.camel@notepc.intrajp-yokosuka.co.jp> Ooops This seems to be the same problem as Hal has. My suggestion is, do not use allow sentence, but use interface. Please read Hal and I might solve this problem. comment out those line same as interface says. I mean, #aloow locao_login_t ... You can do it ! Because I already solved it. 2007-08-08 (?) ? 02:11 -0700 ? Louis Lam ????????: > Hi, > > I'm trying to enable strict policy on fc7, need to do this too. But i > got this error when I tried to compile the module > > [root at localhost local_module_for_login]# make > -f /usr/share/selinux/devel/Makefile local.pp > Compiling targeted local module > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > local.te:10:ERROR 'unknown class capability used in rule' at token ';' > on line 80642: > #line 10 > allow local_login_t self:capability audit_write; > /usr/bin/checkmodule: error(s) encountered while parsing > configuration > make: *** [tmp/local.mod] Error 1 > > Thanks & Rgds, > Louis > > ----- Original Message ---- > From: shintaro_fujiwara > To: Hal ; fedora-selinux-list at redhat.com > Sent: Tuesday, August 7, 2007 5:27:16 PM > Subject: Re: Strict policy on FC6 and F7 > > 2007-08-07 (?) ? 09:48 -0700 ? Hal ????????: > > Hallo > > > > After a problem with the strict policy in FC6: firefox does not > start under > > strict policy. No messages at all. I decided to check if firefox > under strict > > policy on F7 works. > > I have installed F7 and enabled strict policy. But from now on I can > no longer > > login in enforcing is on . When I enter username and password and I > get > > permission denied even for root in GDM. In console I just get new > "username" > > prompt. > > > > I do not understand why firefox does not start in fc6 and > > can not longin on F7 under strict policy? > > > > What might be wrong? > > Because, now you're in enforcing mode, > please disable SELinux and login. > Install devel policy. > > #yum install selinux-policy-devel > > Please install this module. > > #vim local.te > > module local 1.0; > > require { > type local_login_t; > class netlink_audit_socket { append bind connect shutdown > ioctl > getattr > setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create > read }; > } > > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > #make -f /usr/share/selinux/devel/Makefile local.pp > #semodule -i local.pp > #semodule -l|grep local > > Set SELinux enforcing. > > Did it work? > > > > Hal > > > > > > > > > > > > > ____________________________________________________________________________________ > > Luggage? GPS? Comic books? > > Check out fitting gifts for grads at Yahoo! Search > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation > +gifts&cs=bz > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com From shin216 at xf7.so-net.ne.jp Wed Aug 8 11:36:04 2007 From: shin216 at xf7.so-net.ne.jp (shintaro_fujiwara) Date: Wed, 08 Aug 2007 20:36:04 +0900 Subject: Strict policy on FC6 and F7 In-Reply-To: <867081.76182.qm@web32207.mail.mud.yahoo.com> References: <867081.76182.qm@web32207.mail.mud.yahoo.com> Message-ID: <1186572964.3108.13.camel@notepc.intrajp-yokosuka.co.jp> 2007-08-08 (?) ? 02:57 -0700 ? Hal ????????: > Hi > So far it did not work. This is what I get: > [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile local.ppfe > Compiling strict local module > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > local.te:9:ERROR 'syntax error' at token 'logging_send_audit_msg' on line > 81076: > logging_send_audit_msg(local_login_t) > } > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/local.mod] Error 1 > All right. I've checked Tresys page and foud interface name is... http://oss.tresys.com/docs/refpolicy/api/interfaces.html logging_send_audit_msgs Try this. Solved? I have an another problem on strict policy, so keep in touch. Cheers! > > Hal > > --- Louis Lam wrote: > > > Hi, > > > > I'm trying to enable strict policy on fc7, need to do this too. But i got > > this error when I tried to compile the module > > > > [root at localhost local_module_for_login]# make -f > > /usr/share/selinux/devel/Makefile local.pp > > Compiling targeted local module > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > local.te:10:ERROR 'unknown class capability used in rule' at token ';' on > > line 80642: > > #line 10 > > allow local_login_t self:capability audit_write; > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > make: *** [tmp/local.mod] Error 1 > > > > Thanks & Rgds, > > Louis > > > > ----- Original Message ---- > > From: shintaro_fujiwara > > To: Hal ; fedora-selinux-list at redhat.com > > Sent: Tuesday, August 7, 2007 5:27:16 PM > > Subject: Re: Strict policy on FC6 and F7 > > > > 2007-08-07 (??) ?? 09:48 -0700 ?? Hal ????????????????: > > > Hallo > > > > > > After a problem with the strict policy in FC6: firefox does not start under > > > strict policy. No messages at all. I decided to check if firefox under > > strict > > > policy on F7 works. > > > I have installed F7 and enabled strict policy. But from now on I can no > > longer > > > login in enforcing is on . When I enter username and password and I get > > > permission denied even for root in GDM. In console I just get new > > "username" > > > prompt. > > > > > > I do not understand why firefox does not start in fc6 and > > > can not longin on F7 under strict policy? > > > > > > What might be wrong? > > > Because, now you're in enforcing mode, > > please disable SELinux and login. > > Install devel policy. > > > > #yum install selinux-policy-devel > > > > Please install this module. > > > > #vim local.te > > > > module local 1.0; > > > > require { > > type local_login_t; > > class netlink_audit_socket { append bind connect shutdown ioctl > > getattr > > setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create > > read }; > > } > > > > logging_send_audit_msg(local_login_t) > > logging_set_loginuid(local_login_t) > > > > #make -f /usr/share/selinux/devel/Makefile local.pp > > #semodule -i local.pp > > #semodule -l|grep local > > > > Set SELinux enforcing. > > > > Did it work? > > > > > > > Hal > > > > > > > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > Luggage? GPS? Comic books? > > > Check out fitting gifts for grads at Yahoo! Search > > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > > > > > ____________________________________________________________________________________ > Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. > http://smallbusiness.yahoo.com/webhosting From elihusmails at gmail.com Wed Aug 8 15:40:03 2007 From: elihusmails at gmail.com (Mark) Date: Wed, 8 Aug 2007 11:40:03 -0400 Subject: only allow 1 port for listening Message-ID: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> I am new to writing policies and have been reading the reference policy files. I wrote a simple TCP server that listens on a port for connections. I would like to write a policy that will only allow my program to bind to a specific port(9999). I looked at the reference policy and see that the ports that programs are allowed to use is in policy/modules/kernel/corenetwork.te. My questions is, can I specify the port in my programs type enforcement file so that I can make a module instead of listing this in the kernel policy? If so, what would the syntax be? Thanks in advance. -- ..Cheers Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftaylor at redhat.com Wed Aug 8 16:49:09 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 08 Aug 2007 10:49:09 -0600 Subject: only allow 1 port for listening In-Reply-To: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> Message-ID: <1186591749.21910.74.camel@papa.taylor.com> On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > I am new to writing policies and have been reading the reference > policy files. I wrote a simple TCP server that listens on a port for > connections. I would like to write a policy that will only allow my > program to bind to a specific port(9999). I looked at the reference > policy and see that the ports that programs are allowed to use is in > policy/modules/kernel/corenetwork.te. My questions is, can I specify > the port in my programs type enforcement file so that I can make a > module instead of listing this in the kernel policy? If so, what > would the syntax be? portcon is only valid in the base module, not a normal loadable module. The command to generate the port entry for the policy is semanage. It should look something like the following: semanage port -a -t my_port_t -p tcp 9999 Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From elihusmails at gmail.com Wed Aug 8 17:12:33 2007 From: elihusmails at gmail.com (Mark) Date: Wed, 8 Aug 2007 13:12:33 -0400 Subject: only allow 1 port for listening In-Reply-To: <1186591749.21910.74.camel@papa.taylor.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> Message-ID: <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> thanks for the information, but how could I add this to my .te file? -- ..Cheers Mark On 8/8/07, Forrest Taylor wrote: > > On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > > I am new to writing policies and have been reading the reference > > policy files. I wrote a simple TCP server that listens on a port for > > connections. I would like to write a policy that will only allow my > > program to bind to a specific port(9999). I looked at the reference > > policy and see that the ports that programs are allowed to use is in > > policy/modules/kernel/corenetwork.te. My questions is, can I specify > > the port in my programs type enforcement file so that I can make a > > module instead of listing this in the kernel policy? If so, what > > would the syntax be? > > portcon is only valid in the base module, not a normal loadable module. > The command to generate the port entry for the policy is semanage. It > should look something like the following: > > semanage port -a -t my_port_t -p tcp 9999 > > Forrest > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftaylor at redhat.com Wed Aug 8 17:16:36 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 08 Aug 2007 11:16:36 -0600 Subject: only allow 1 port for listening In-Reply-To: <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> Message-ID: <1186593396.21910.77.camel@papa.taylor.com> You cannot. You need to run this as a separate command or build it into the base module (corenetwork.te). Forrest On Wed, 2007-08-08 at 13:12 -0400, Mark wrote: > thanks for the information, but how could I add this to my .te file? > > > -- > ..Cheers > Mark > > On 8/8/07, Forrest Taylor wrote: > On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > > I am new to writing policies and have been reading the > reference > > policy files. I wrote a simple TCP server that listens on a > port for > > connections. I would like to write a policy that will only > allow my > > program to bind to a specific port(9999). I looked at the > reference > > policy and see that the ports that programs are allowed to > use is in > > policy/modules/kernel/corenetwork.te. My questions is, can > I specify > > the port in my programs type enforcement file so that I can > make a > > module instead of listing this in the kernel policy? If so, > what > > would the syntax be? > > portcon is only valid in the base module, not a normal > loadable module. > The command to generate the port entry for the policy is > semanage. It > should look something like the following: > > semanage port -a -t my_port_t -p tcp 9999 > > Forrest > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From elihusmails at gmail.com Wed Aug 8 17:21:36 2007 From: elihusmails at gmail.com (Mark) Date: Wed, 8 Aug 2007 13:21:36 -0400 Subject: only allow 1 port for listening In-Reply-To: <1186593396.21910.77.camel@papa.taylor.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> Message-ID: <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> ok. Thanks. So I need to update corenetwork.te, recompile the policy, set the policy to the newly compiled one and reboot? Correct? -- ..Cheers Mark On 8/8/07, Forrest Taylor wrote: > > You cannot. You need to run this as a separate command or build it into > the base module (corenetwork.te). > > Forrest > > On Wed, 2007-08-08 at 13:12 -0400, Mark wrote: > > thanks for the information, but how could I add this to my .te file? > > > > > > -- > > ..Cheers > > Mark > > > > On 8/8/07, Forrest Taylor wrote: > > On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > > > I am new to writing policies and have been reading the > > reference > > > policy files. I wrote a simple TCP server that listens on a > > port for > > > connections. I would like to write a policy that will only > > allow my > > > program to bind to a specific port(9999). I looked at the > > reference > > > policy and see that the ports that programs are allowed to > > use is in > > > policy/modules/kernel/corenetwork.te. My questions is, can > > I specify > > > the port in my programs type enforcement file so that I can > > make a > > > module instead of listing this in the kernel policy? If so, > > what > > > would the syntax be? > > > > portcon is only valid in the base module, not a normal > > loadable module. > > The command to generate the port entry for the policy is > > semanage. It > > should look something like the following: > > > > semanage port -a -t my_port_t -p tcp 9999 > > > > Forrest > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftaylor at redhat.com Wed Aug 8 17:26:23 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 08 Aug 2007 11:26:23 -0600 Subject: only allow 1 port for listening In-Reply-To: <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> Message-ID: <1186593985.21910.79.camel@papa.taylor.com> That is one way to do it. If you run the semanage utility, it will compile that information into the policy as well, and you don't have to recompile the base policy. Forrest On Wed, 2007-08-08 at 13:21 -0400, Mark wrote: > ok. Thanks. > > So I need to update corenetwork.te, recompile the policy, set the > policy to the newly compiled one and reboot? Correct? > > > > -- > ..Cheers > Mark > > On 8/8/07, Forrest Taylor wrote: > You cannot. You need to run this as a separate command or > build it into > the base module (corenetwork.te). > > Forrest > > On Wed, 2007-08-08 at 13:12 -0400, Mark wrote: > > thanks for the information, but how could I add this to > my .te file? > > > > > > -- > > ..Cheers > > Mark > > > > On 8/8/07, Forrest Taylor wrote: > > On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > > > I am new to writing policies and have been reading > the > > reference > > > policy files. I wrote a simple TCP server that > listens on a > > port for > > > connections. I would like to write a policy that > will only > > allow my > > > program to bind to a specific port(9999). I > looked at the > > reference > > > policy and see that the ports that programs are > allowed to > > use is in > > > policy/modules/kernel/corenetwork.te. My > questions is, can > > I specify > > > the port in my programs type enforcement file so > that I can > > make a > > > module instead of listing this in the kernel > policy? If so, > > what > > > would the syntax be? > > > > portcon is only valid in the base module, not a > normal > > loadable module. > > The command to generate the port entry for the > policy is > > semanage. It > > should look something like the following: > > > > semanage port -a -t my_port_t -p tcp 9999 > > > > Forrest > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From elihusmails at gmail.com Wed Aug 8 17:39:25 2007 From: elihusmails at gmail.com (Mark) Date: Wed, 8 Aug 2007 13:39:25 -0400 Subject: only allow 1 port for listening In-Reply-To: <1186593985.21910.79.camel@papa.taylor.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> Message-ID: <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> after running semanage, will the information remain in the policy after a reboot? -- ..Cheers Mark On 8/8/07, Forrest Taylor wrote: > > That is one way to do it. If you run the semanage utility, it will > compile that information into the policy as well, and you don't have to > recompile the base policy. > > Forrest > > On Wed, 2007-08-08 at 13:21 -0400, Mark wrote: > > ok. Thanks. > > > > So I need to update corenetwork.te, recompile the policy, set the > > policy to the newly compiled one and reboot? Correct? > > > > > > > > -- > > ..Cheers > > Mark > > > > On 8/8/07, Forrest Taylor wrote: > > You cannot. You need to run this as a separate command or > > build it into > > the base module (corenetwork.te). > > > > Forrest > > > > On Wed, 2007-08-08 at 13:12 -0400, Mark wrote: > > > thanks for the information, but how could I add this to > > my .te file? > > > > > > > > > -- > > > ..Cheers > > > Mark > > > > > > On 8/8/07, Forrest Taylor wrote: > > > On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > > > > I am new to writing policies and have been reading > > the > > > reference > > > > policy files. I wrote a simple TCP server that > > listens on a > > > port for > > > > connections. I would like to write a policy that > > will only > > > allow my > > > > program to bind to a specific port(9999). I > > looked at the > > > reference > > > > policy and see that the ports that programs are > > allowed to > > > use is in > > > > policy/modules/kernel/corenetwork.te. My > > questions is, can > > > I specify > > > > the port in my programs type enforcement file so > > that I can > > > make a > > > > module instead of listing this in the kernel > > policy? If so, > > > what > > > > would the syntax be? > > > > > > portcon is only valid in the base module, not a > > normal > > > loadable module. > > > The command to generate the port entry for the > > policy is > > > semanage. It > > > should look something like the following: > > > > > > semanage port -a -t my_port_t -p tcp 9999 > > > > > > Forrest > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Wed Aug 8 17:44:12 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 08 Aug 2007 13:44:12 -0400 Subject: only allow 1 port for listening In-Reply-To: <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> Message-ID: <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-08-08 at 13:39 -0400, Mark wrote: > after running semanage, will the information remain in the policy > after a reboot? Yes, the change is persistent. -- Stephen Smalley National Security Agency From tibbs at math.uh.edu Wed Aug 8 17:51:22 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 08 Aug 2007 12:51:22 -0500 Subject: Removing semanage-added rules (Was: only allow 1 port for listening) In-Reply-To: <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> Message-ID: >>>>> "SS" == Stephen Smalley writes: SS> Yes, the change is persistent. Which reminds me to ask: if I flub a semanage command (which I find I do very often), how do I undo my mistake? - J< From ftaylor at redhat.com Wed Aug 8 17:57:39 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 08 Aug 2007 11:57:39 -0600 Subject: Removing semanage-added rules (Was: only allow 1 port for listening) In-Reply-To: References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1186595859.21910.81.camel@papa.taylor.com> On Wed, 2007-08-08 at 12:51 -0500, Jason L Tibbitts III wrote: > >>>>> "SS" == Stephen Smalley writes: > > SS> Yes, the change is persistent. > > Which reminds me to ask: if I flub a semanage command (which I find I > do very often), how do I undo my mistake? Where you add a -a to add, replace that with a -d to delete, or a -m to modify. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From ftaylor at redhat.com Wed Aug 8 17:58:53 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 08 Aug 2007 11:58:53 -0600 Subject: only allow 1 port for listening In-Reply-To: <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> Message-ID: <1186595933.21910.83.camel@papa.taylor.com> On Wed, 2007-08-08 at 13:39 -0400, Mark wrote: > after running semanage, will the information remain in the policy > after a reboot? Yes, semanage actually recompiles the policy, so it will be persistent after a reboot. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tibbs at math.uh.edu Wed Aug 8 18:07:12 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 08 Aug 2007 13:07:12 -0500 Subject: Removing semanage-added rules (Was: only allow 1 port for listening) In-Reply-To: <1186595859.21910.81.camel@papa.taylor.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> <1186595859.21910.81.camel@papa.taylor.com> Message-ID: >>>>> "FT" == Forrest Taylor writes: FT> Where you add a -a to add, replace that with a -d to delete, or a FT> -m to modify. Yeah, that was overly easy. I guess I was confused by how I'm supposed to know what "NAME" is, especially for fcontext rules where you give a pattern. (NAME seems to be the pattern itself.) I s there a simple way to know if an fcontext pattern matches anything so I can tell if I'm going to screw my system before deleting one? - J< From sds at tycho.nsa.gov Wed Aug 8 18:19:55 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 08 Aug 2007 14:19:55 -0400 Subject: Problem with domain transition on a nfs_t mount In-Reply-To: <46B29D8E.6020800@gmail.com> References: <46B29D8E.6020800@gmail.com> Message-ID: <1186597195.6916.278.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-08-02 at 23:14 -0400, David-Alexandre Davidson wrote: > On fedora 7, lastest selinux strict policy. > > I have written a selinux module which go through a domain transition > when executing a file on a nfs mount (labeled nfs_t) > However the transition never occurs. and I get a : denied > execute_no_trans on nfs_t files . > > In order to find the source of the problem I have taken a file with the > exact same context outside of the nfs mount and the transition work fine. > > Here is the related part of my module: > > domain_auto_trans(custom_trans_t,nfs_t,i_custom_t); > allow custom_trans_t nfs_t:file rx_file_perms; > allow custom_trans_t nfs_t:dir r_dir_perms; > > > Here are the details on the nfs share: > > file executed: > -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t > /home/usera/var/bin/testphp.app > > result: > type=AVC msg=audit(1186108700.494:230294): avc: denied { > execute_no_trans } for pid=5969 comm="custom-app" name="testphp.app" > dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0 > tcontext=system_u:object_r:nfs_t:s0 tclass=file > > > Running the same program and executing an identical file outside the nfs > share: (I labelled manually to match) > > file executed: > -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t > /testphp.app > > result: > transition is made to context i_custom_t , nothing is audited > > > Any idea what can cause this difference ? I don't believe this behavior > is normal. By the way, if I allow the execute_no_trans on nfs_t, the > file gets executed just fine but without the expected transition... > > Any help would be much appreciated ! If the filesystem is mounted nosuid, then SELinux domain transitions on it are also disabled. Not as flexible as we might like, but a conservative approach. Rationale is that if you didn't trust the filesystem in the first place for suid binaries, then you likely don't trust it for domain entrypoints either. -- Stephen Smalley National Security Agency From ftaylor at redhat.com Wed Aug 8 18:31:55 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 08 Aug 2007 12:31:55 -0600 Subject: Removing semanage-added rules (Was: only allow 1 port for listening) In-Reply-To: References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> <1186595859.21910.81.camel@papa.taylor.com> Message-ID: <1186597915.21910.87.camel@papa.taylor.com> On Wed, 2007-08-08 at 13:07 -0500, Jason L Tibbitts III wrote: > >>>>> "FT" == Forrest Taylor writes: > > FT> Where you add a -a to add, replace that with a -d to delete, or a > FT> -m to modify. > > Yeah, that was overly easy. I guess I was confused by how I'm > supposed to know what "NAME" is, especially for fcontext rules where > you give a pattern. (NAME seems to be the pattern itself.) > > I s there a simple way to know if an fcontext pattern matches anything > so I can tell if I'm going to screw my system before deleting one? Do a -l to list it, and use grep to match your rule ;o) semanage won't let you remove a rule that is not there. Nor will it let you add a rule that already exists (you must modify it [-m]). Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tibbs at math.uh.edu Wed Aug 8 18:45:48 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 08 Aug 2007 13:45:48 -0500 Subject: Removing semanage-added rules (Was: only allow 1 port for listening) In-Reply-To: <1186597915.21910.87.camel@papa.taylor.com> References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> <1186595859.21910.81.camel@papa.taylor.com> <1186597915.21910.87.camel@papa.taylor.com> Message-ID: >>>>> "FT" == Forrest Taylor writes: FT> Do a -l to list it, and use grep to match your rule ;o) I was trying to see if an fcontext pattern actually matched any files in the filesystem. Actually I'd like to know something more specific: if it actually has any effect. It could be covered by another rule. An example: I see a AVC denial on one file, add a rule to change the context on that file and realize later that I need a rule matching the whole directory. A week later and I'm cleaning up; can I really delete that first rule? There are a whole lot of fcontext rules; how do I know it really doesn't have any effect? - J< From ftaylor at redhat.com Wed Aug 8 19:16:20 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 08 Aug 2007 13:16:20 -0600 Subject: Removing semanage-added rules (Was: only allow 1 port for listening) In-Reply-To: References: <9f066ee90708080840q627adbbavb9e83b45a9f017e8@mail.gmail.com> <1186591749.21910.74.camel@papa.taylor.com> <9f066ee90708081012q6d70d876la8f1a4fd2db69c53@mail.gmail.com> <1186593396.21910.77.camel@papa.taylor.com> <9f066ee90708081021s73309c97j7ea244c033affba9@mail.gmail.com> <1186593985.21910.79.camel@papa.taylor.com> <9f066ee90708081039ud685d9ua075e32907d3e3fe@mail.gmail.com> <1186595052.6916.254.camel@moss-spartans.epoch.ncsc.mil> <1186595859.21910.81.camel@papa.taylor.com> <1186597915.21910.87.camel@papa.taylor.com> Message-ID: <1186600580.21910.92.camel@papa.taylor.com> On Wed, 2007-08-08 at 13:45 -0500, Jason L Tibbitts III wrote: > >>>>> "FT" == Forrest Taylor writes: > > FT> Do a -l to list it, and use grep to match your rule ;o) > > I was trying to see if an fcontext pattern actually matched any files > in the filesystem. Actually I'd like to know something more specific: > if it actually has any effect. It could be covered by another rule. > > An example: I see a AVC denial on one file, add a rule to change the > context on that file and realize later that I need a rule matching the > whole directory. A week later and I'm cleaning up; can I really > delete that first rule? There are a whole lot of fcontext rules; how > do I know it really doesn't have any effect? In that specific example, you could remove the file rule and use restorecon to verify that it works as expected. It is rather difficult to determine the file context without using some empirical evidence. Note that file_type_auto_trans could also come into play here negating the fcontext rules. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From hal_bg at yahoo.com Wed Aug 8 19:39:45 2007 From: hal_bg at yahoo.com (Hal) Date: Wed, 8 Aug 2007 12:39:45 -0700 (PDT) Subject: Strict policy on FC6 and F7 In-Reply-To: <1186572337.3108.8.camel@notepc.intrajp-yokosuka.co.jp> Message-ID: <820254.19320.qm@web32201.mail.mud.yahoo.com> I have tryed with logging_send_audit_msgs(local_login_t) But still: [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling strict local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:9:ERROR 'unknown class capability used in rule' at token ';' on line 81105: #line 9 allow local_login_t self:capability audit_write; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1 I really have no idea what all this means. there is nowhere "allow" in local.te. if it is in this macros at the end... Do I need to install the policy source and edit it? However, I am more interested in solving the Firefox problem on fc6. On the other hand I do not understand how can login be disabled in the strict policy in F7. Is this a bug or a feature. I am really confused. --- shintaro_fujiwara wrote: > Ooops > This seems to be the same problem as Hal has. > > My suggestion is, do not use allow sentence, but > use interface. > Please read Hal and I might solve this problem. > comment out those line same as interface says. > I mean, > > #aloow locao_login_t ... > > You can do it ! > Because I already solved it. > > > 2007-08-08 (???) ??? 02:11 -0700 ??? Louis Lam ????????????????????????: > > Hi, > > > > I'm trying to enable strict policy on fc7, need to do this too. But i > > got this error when I tried to compile the module > > > > [root at localhost local_module_for_login]# make > > -f /usr/share/selinux/devel/Makefile local.pp > > Compiling targeted local module > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > local.te:10:ERROR 'unknown class capability used in rule' at token ';' > > on line 80642: > > #line 10 > > allow local_login_t self:capability audit_write; > > /usr/bin/checkmodule: error(s) encountered while parsing > > configuration > > make: *** [tmp/local.mod] Error 1 > > > > Thanks & Rgds, > > Louis > > > > ----- Original Message ---- > > From: shintaro_fujiwara > > To: Hal ; fedora-selinux-list at redhat.com > > Sent: Tuesday, August 7, 2007 5:27:16 PM > > Subject: Re: Strict policy on FC6 and F7 > > > > 2007-08-07 (???) ??? 09:48 -0700 ??? Hal ????????????????????????: > > > Hallo > > > > > > After a problem with the strict policy in FC6: firefox does not > > start under > > > strict policy. No messages at all. I decided to check if firefox > > under strict > > > policy on F7 works. > > > I have installed F7 and enabled strict policy. But from now on I can > > no longer > > > login in enforcing is on . When I enter username and password and I > > get > > > permission denied even for root in GDM. In console I just get new > > "username" > > > prompt. > > > > > > I do not understand why firefox does not start in fc6 and > > > can not longin on F7 under strict policy? > > > > > > What might be wrong? > > > Because, now you're in enforcing mode, > > please disable SELinux and login. > > Install devel policy. > > > > #yum install selinux-policy-devel > > > > Please install this module. > > > > #vim local.te > > > > module local 1.0; > > > > require { > > type local_login_t; > > class netlink_audit_socket { append bind connect shutdown > > ioctl > > getattr > > setattr shutdown getopt setopt write nlmsg_relay nlmsg_read create > > read }; > > } > > > > logging_send_audit_msg(local_login_t) > > logging_set_loginuid(local_login_t) > > > > #make -f /usr/share/selinux/devel/Makefile local.pp > > #semodule -i local.pp > > #semodule -l|grep local > > > > Set SELinux enforcing. > > > > Did it work? > > > > > > > Hal > > > > > > > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > Luggage? GPS? Comic books? > > > Check out fitting gifts for grads at Yahoo! Search > > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation > > +gifts&cs=bz > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > > Send instant messages to your online friends > > http://uk.messenger.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > ____________________________________________________________________________________ Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. http://mobile.yahoo.com/go?refer=1GNXIC From cpebenito at tresys.com Wed Aug 8 19:55:12 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Wed, 08 Aug 2007 15:55:12 -0400 Subject: Strict policy on FC6 and F7 In-Reply-To: <820254.19320.qm@web32201.mail.mud.yahoo.com> References: <820254.19320.qm@web32201.mail.mud.yahoo.com> Message-ID: <1186602912.25504.11.camel@gorn.columbia.tresys.com> On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: > I have tryed with > logging_send_audit_msgs(local_login_t) > > But still: > [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp > Compiling strict local module > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > local.te:9:ERROR 'unknown class capability used in rule' at token ';' on line > 81105: > #line 9 > allow local_login_t self:capability audit_write; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/local.mod] Error 1 > > I really have no idea what all this means. > there is nowhere "allow" in local.te. if it is in this macros at the end... > Do I need to install the policy source and edit it? It is in the interface. You need to change this: > > > module local 1.0; to this: policy_module(local,1.0) It will automatically require all of the kernel object classes. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From hal_bg at yahoo.com Wed Aug 8 20:32:13 2007 From: hal_bg at yahoo.com (Hal) Date: Wed, 8 Aug 2007 13:32:13 -0700 (PDT) Subject: Strict policy on FC6 and F7 In-Reply-To: <1186602912.25504.11.camel@gorn.columbia.tresys.com> Message-ID: <491427.4204.qm@web32212.mail.mud.yahoo.com> Well I manged to compile the module, but it does not work for me. Compiled,loaded,set enforcing and: "authentication failed" again. I do not know if I am stupid, but I can not get a long with this Selinux... Does this nodule work for you guys???? hal --- "Christopher J. PeBenito" wrote: > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: > > I have tryed with > > logging_send_audit_msgs(local_login_t) > > > > But still: > > [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp > > Compiling strict local module > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > local.te:9:ERROR 'unknown class capability used in rule' at token ';' on > line > > 81105: > > #line 9 > > allow local_login_t self:capability audit_write; > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > make: *** [tmp/local.mod] Error 1 > > > > I really have no idea what all this means. > > there is nowhere "allow" in local.te. if it is in this macros at the end... > > Do I need to install the policy source and edit it? > > It is in the interface. You need to change this: > > > > > module local 1.0; > > to this: > > policy_module(local,1.0) > > It will automatically require all of the kernel object classes. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > > ____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz From shin216 at xf7.so-net.ne.jp Wed Aug 8 21:23:42 2007 From: shin216 at xf7.so-net.ne.jp (shintaro_fujiwara) Date: Thu, 09 Aug 2007 06:23:42 +0900 Subject: Strict policy on FC6 and F7 In-Reply-To: <491427.4204.qm@web32212.mail.mud.yahoo.com> References: <491427.4204.qm@web32212.mail.mud.yahoo.com> Message-ID: <1186608222.3108.22.camel@notepc.intrajp-yokosuka.co.jp> 2007-08-08 (?) ? 13:32 -0700 ? Hal ????????: > Well > I manged to compile the module, but > it does not work for me. > Compiled,loaded,set enforcing and: "authentication failed" again. > > I do not know if I am stupid, but I can not get a long with this Selinux... > > Does this nodule work for you guys???? > > hal > > --- "Christopher J. PeBenito" wrote: > > > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: > > > I have tryed with > > > logging_send_audit_msgs(local_login_t) > > > > > > But still: > > > [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile local.pp > > > Compiling strict local module > > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > > local.te:9:ERROR 'unknown class capability used in rule' at token ';' on > > line > > > 81105: > > > #line 9 > > > allow local_login_t self:capability audit_write; Because we did not write class capability { audit_write }; in require brace. write it and try again. Did you make it? As a matter of fact, I have another problem on strict policy. I ended up breaking F7 altogether eliminating libselinux with --nodeps. Now I'm trying to upgrade FC6 to F7. You can upgrade FC6 to F7, if you are tired of your process on F7. Do not stop trying strict policy.Never surrender. It's rewarding, and SELinux guys will guide you to the right place. > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > make: *** [tmp/local.mod] Error 1 > > > > > > I really have no idea what all this means. > > > there is nowhere "allow" in local.te. if it is in this macros at the end... > > > Do I need to install the policy source and edit it? > > > > It is in the interface. You need to change this: > > > > > > > module local 1.0; > > > > to this: > > > > policy_module(local,1.0) > > > > It will automatically require all of the kernel object classes. > > > > -- > > Chris PeBenito > > Tresys Technology, LLC > > (410) 290-1411 x150 > > > > > > > > ____________________________________________________________________________________ > Luggage? GPS? Comic books? > Check out fitting gifts for grads at Yahoo! Search > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From hal_bg at yahoo.com Wed Aug 8 21:43:47 2007 From: hal_bg at yahoo.com (Hal) Date: Wed, 8 Aug 2007 14:43:47 -0700 (PDT) Subject: Strict policy on FC6 and F7 In-Reply-To: <1186608222.3108.22.camel@notepc.intrajp-yokosuka.co.jp> Message-ID: <753043.34611.qm@web32204.mail.mud.yahoo.com> Authentication failed again:( but meanwhile I have checked firefox on strict policy on FC7 it does not work. --- shintaro_fujiwara wrote: > 2007-08-08 (???) ??? 13:32 -0700 ??? Hal ????????????????????????: > > Well > > I manged to compile the module, but > > it does not work for me. > > Compiled,loaded,set enforcing and: "authentication failed" again. > > > > I do not know if I am stupid, but I can not get a long with this Selinux... > > > > > Does this nodule work for you guys???? > > > > hal > > > > --- "Christopher J. PeBenito" wrote: > > > > > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: > > > > I have tryed with > > > > logging_send_audit_msgs(local_login_t) > > > > > > > > But still: > > > > [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile > local.pp > > > > Compiling strict local module > > > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > > > local.te:9:ERROR 'unknown class capability used in rule' at token ';' > on > > > line > > > > 81105: > > > > #line 9 > > > > allow local_login_t self:capability audit_write; > Because we did not write > > class capability { audit_write }; > > in require brace. > > write it and try again. > Did you make it? > > > As a matter of fact, I have another problem on strict policy. > I ended up breaking F7 altogether eliminating libselinux with --nodeps. > Now I'm trying to upgrade FC6 to F7. > You can upgrade FC6 to F7, if you are tired of your process on F7. > Do not stop trying strict policy.Never surrender. > It's rewarding, and SELinux guys will guide you to the right place. > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > make: *** [tmp/local.mod] Error 1 > > > > > > > > I really have no idea what all this means. > > > > there is nowhere "allow" in local.te. if it is in this macros at the > end... > > > > Do I need to install the policy source and edit it? > > > > > > It is in the interface. You need to change this: > > > > > > > > > module local 1.0; > > > > > > to this: > > > > > > policy_module(local,1.0) > > > > > > It will automatically require all of the kernel object classes. > > > > > > -- > > > Chris PeBenito > > > Tresys Technology, LLC > > > (410) 290-1411 x150 > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > Luggage? GPS? Comic books? > > Check out fitting gifts for grads at Yahoo! Search > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > ____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 From shin216 at xf7.so-net.ne.jp Wed Aug 8 21:55:49 2007 From: shin216 at xf7.so-net.ne.jp (shintaro_fujiwara) Date: Thu, 09 Aug 2007 06:55:49 +0900 Subject: Strict policy on FC6 and F7 In-Reply-To: <753043.34611.qm@web32204.mail.mud.yahoo.com> References: <753043.34611.qm@web32204.mail.mud.yahoo.com> Message-ID: <1186610150.3108.26.camel@notepc.intrajp-yokosuka.co.jp> I think F7 strict policy is broken. Let's wait for a while until SELinux guys fix it. I decided to play with FC6 this time. 2007-08-08 (?) ? 14:43 -0700 ? Hal ????????: > Authentication failed again:( > but meanwhile I have checked firefox on strict policy on FC7 it does not work. > > --- shintaro_fujiwara wrote: > > > 2007-08-08 (???) ?? 13:32 -0700 ?? Hal ?????????????????: > > > Well > > > I manged to compile the module, but > > > it does not work for me. > > > Compiled,loaded,set enforcing and: "authentication failed" again. > > > > > > I do not know if I am stupid, but I can not get a long with this Selinux... > > > > > > > > Does this nodule work for you guys???? > > > > > > hal > > > > > > --- "Christopher J. PeBenito" wrote: > > > > > > > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: > > > > > I have tryed with > > > > > logging_send_audit_msgs(local_login_t) > > > > > > > > > > But still: > > > > > [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile > > local.pp > > > > > Compiling strict local module > > > > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > > > > local.te:9:ERROR 'unknown class capability used in rule' at token ';' > > on > > > > line > > > > > 81105: > > > > > #line 9 > > > > > allow local_login_t self:capability audit_write; > > Because we did not write > > > > class capability { audit_write }; > > > > in require brace. > > > > write it and try again. > > Did you make it? > > > > > > As a matter of fact, I have another problem on strict policy. > > I ended up breaking F7 altogether eliminating libselinux with --nodeps. > > Now I'm trying to upgrade FC6 to F7. > > You can upgrade FC6 to F7, if you are tired of your process on F7. > > Do not stop trying strict policy.Never surrender. > > It's rewarding, and SELinux guys will guide you to the right place. > > > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > make: *** [tmp/local.mod] Error 1 > > > > > > > > > > I really have no idea what all this means. > > > > > there is nowhere "allow" in local.te. if it is in this macros at the > > end... > > > > > Do I need to install the policy source and edit it? > > > > > > > > It is in the interface. You need to change this: > > > > > > > > > > > module local 1.0; > > > > > > > > to this: > > > > > > > > policy_module(local,1.0) > > > > > > > > It will automatically require all of the kernel object classes. > > > > > > > > -- > > > > Chris PeBenito > > > > Tresys Technology, LLC > > > > (410) 290-1411 x150 > > > > > > > > > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > Luggage? GPS? Comic books? > > > Check out fitting gifts for grads at Yahoo! Search > > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > ____________________________________________________________________________________ > Sick sense of humor? Visit Yahoo! TV's > Comedy with an Edge to see what's on, when. > http://tv.yahoo.com/collections/222 From ryvore at gmail.com Thu Aug 9 00:28:06 2007 From: ryvore at gmail.com (David-Alexandre Davidson) Date: Wed, 08 Aug 2007 20:28:06 -0400 Subject: Problem with domain transition on a nfs_t mount In-Reply-To: <1186597195.6916.278.camel@moss-spartans.epoch.ncsc.mil> References: <46B29D8E.6020800@gmail.com> <1186597195.6916.278.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <46BA5F96.8010506@gmail.com> Stephen Smalley wrote: > On Thu, 2007-08-02 at 23:14 -0400, David-Alexandre Davidson wrote: > >> On fedora 7, lastest selinux strict policy. >> >> I have written a selinux module which go through a domain transition >> when executing a file on a nfs mount (labeled nfs_t) >> However the transition never occurs. and I get a : denied >> execute_no_trans on nfs_t files . >> >> In order to find the source of the problem I have taken a file with the >> exact same context outside of the nfs mount and the transition work fine. >> >> Here is the related part of my module: >> >> domain_auto_trans(custom_trans_t,nfs_t,i_custom_t); >> allow custom_trans_t nfs_t:file rx_file_perms; >> allow custom_trans_t nfs_t:dir r_dir_perms; >> >> >> Here are the details on the nfs share: >> >> file executed: >> -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t >> /home/usera/var/bin/testphp.app >> >> result: >> type=AVC msg=audit(1186108700.494:230294): avc: denied { >> execute_no_trans } for pid=5969 comm="custom-app" name="testphp.app" >> dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0 >> tcontext=system_u:object_r:nfs_t:s0 tclass=file >> >> >> Running the same program and executing an identical file outside the nfs >> share: (I labelled manually to match) >> >> file executed: >> -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t >> /testphp.app >> >> result: >> transition is made to context i_custom_t , nothing is audited >> >> >> Any idea what can cause this difference ? I don't believe this behavior >> is normal. By the way, if I allow the execute_no_trans on nfs_t, the >> file gets executed just fine but without the expected transition... >> >> Any help would be much appreciated ! >> > > If the filesystem is mounted nosuid, then SELinux domain transitions on > it are also disabled. Not as flexible as we might like, but a > conservative approach. Rationale is that if you didn't trust the > filesystem in the first place for suid binaries, then you likely don't > trust it for domain entrypoints either. > > Yes that's the case, my filesystem is mounted nosuid. Luckily it was not a necessity, but rather because the suid feature is not required on those files. I will change my mount settings, thanks a lot for your help ! By the way, is there plans to ever add configuration options to the selinux config file ? I believe it would be a natural way to specify various selinux behavior in case like this one, where the policy itself isn't concerned. In my particular situation I am forcing a domain transition in order to isolate everything that is executed on the mounted filesystem, in the same domain. An execution without transition would be a greater security risk. ------------------------------------ David-Alexandre Davidson IHQ Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kaigai at kaigai.gr.jp Thu Aug 9 10:32:45 2007 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Thu, 09 Aug 2007 19:32:45 +0900 Subject: MLS/MCS disabled in building a policy module In-Reply-To: <46B7ED8B.6060506@ak.jp.nec.com> References: <46B7ED8B.6060506@ak.jp.nec.com> Message-ID: <46BAED4D.8010003@kaigai.gr.jp> I want you to see the following console log: [root at masu ~]# cd /usr/share/selinux/devel [root at masu devel]# make -f ./Makefile NAME=targeted Compiling targeted example module /usr/bin/checkmodule: loading policy configuration from tmp/example.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/example.mod Creating targeted example.pp policy package rm tmp/example.mod tmp/example.mod.fc [root at masu devel]# /usr/sbin/semodule -i example.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed! [root at masu devel]# When we try to build a policy package without specific TYPE parameter, $(NAME)${MCSFLAG} is set as a default value in the /usr/share/selinux/devel/Makefile . $(NAME) is typically one of "targeted", "strict" or "mls", and $(MCSFLAG) is "-mls" or "-mcs". Therefore, "targeted-mcs" will be used when we omit TYPE parameter for example. In the next stage, /usr/share/selinux/devel/include/Makefile checks TYPE parameter whether MLS/MCS should be enabled, or not. But the above default value is not suitable for the following conditional statement. ------------------------------------- # enable MLS if requested. ifeq "$(TYPE)" "mls" M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M endif # enable MLS if MCS requested. ifeq "$(TYPE)" "mcs" M4PARAM += -D enable_mcs CHECKPOLICY += -M CHECKMODULE += -M endif ------------------------------------- The origin of the problem is that unexpected TYPE will be generated when we omit it. The following patch will fixes the problem. --- Makefile.devel.orig 2007-08-09 16:25:45.000000000 +0900 +++ Makefile.devel 2007-08-09 16:26:08.000000000 +0900 @@ -10,15 +10,15 @@ endif ifeq ($(MLSENABLED),1) - MCSFLAG=-mcs + MCSFLAG=mcs endif ifeq ($(NAME), mls) NAME = strict - MCSFLAG = -mls + MCSFLAG=mls endif -TYPE ?= $(NAME)${MCSFLAG} +TYPE ?= $(MCSFLAG) HEADERDIR := $(SHAREDIR)/devel/include include $(HEADERDIR)/Makefile -- KaiGai Kohei From phaceton at gmail.com Thu Aug 9 12:51:05 2007 From: phaceton at gmail.com (Peter Harmsen) Date: Thu, 9 Aug 2007 14:51:05 +0200 Subject: thanks! Message-ID: <3655f5d90708090551p41843cedvc6e1385a0a5ed7bb@mail.gmail.com> I would like to thank the devs for including a policy for firefox & co P: -- I have made this letter longer than usual, because i lack the time to make it short. From sds at tycho.nsa.gov Thu Aug 9 12:51:27 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 09 Aug 2007 08:51:27 -0400 Subject: Problem with domain transition on a nfs_t mount In-Reply-To: <46BA5F96.8010506@gmail.com> References: <46B29D8E.6020800@gmail.com> <1186597195.6916.278.camel@moss-spartans.epoch.ncsc.mil> <46BA5F96.8010506@gmail.com> Message-ID: <1186663887.6916.402.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-08-08 at 20:28 -0400, David-Alexandre Davidson wrote: > Stephen Smalley wrote: > > On Thu, 2007-08-02 at 23:14 -0400, David-Alexandre Davidson wrote: > > > > > On fedora 7, lastest selinux strict policy. > > > > > > I have written a selinux module which go through a domain transition > > > when executing a file on a nfs mount (labeled nfs_t) > > > However the transition never occurs. and I get a : denied > > > execute_no_trans on nfs_t files . > > > > > > In order to find the source of the problem I have taken a file with the > > > exact same context outside of the nfs mount and the transition work fine. > > > > > > Here is the related part of my module: > > > > > > domain_auto_trans(custom_trans_t,nfs_t,i_custom_t); > > > allow custom_trans_t nfs_t:file rx_file_perms; > > > allow custom_trans_t nfs_t:dir r_dir_perms; > > > > > > > > > Here are the details on the nfs share: > > > > > > file executed: > > > -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t > > > /home/usera/var/bin/testphp.app > > > > > > result: > > > type=AVC msg=audit(1186108700.494:230294): avc: denied { > > > execute_no_trans } for pid=5969 comm="custom-app" name="testphp.app" > > > dev=0:18 ino=269058250 scontext=system_u:system_r:custom_trans_t:s0 > > > tcontext=system_u:object_r:nfs_t:s0 tclass=file > > > > > > > > > Running the same program and executing an identical file outside the nfs > > > share: (I labelled manually to match) > > > > > > file executed: > > > -rwxrwxr-x vu20003 vg20003 system_u:object_r:nfs_t > > > /testphp.app > > > > > > result: > > > transition is made to context i_custom_t , nothing is audited > > > > > > > > > Any idea what can cause this difference ? I don't believe this behavior > > > is normal. By the way, if I allow the execute_no_trans on nfs_t, the > > > file gets executed just fine but without the expected transition... > > > > > > Any help would be much appreciated ! > > > > > > > If the filesystem is mounted nosuid, then SELinux domain transitions on > > it are also disabled. Not as flexible as we might like, but a > > conservative approach. Rationale is that if you didn't trust the > > filesystem in the first place for suid binaries, then you likely don't > > trust it for domain entrypoints either. > > > > > Yes that's the case, my filesystem is mounted nosuid. > Luckily it was not a necessity, but rather because the suid feature is > not required on those files. > I will change my mount settings, thanks a lot for your help ! Hmm...that makes me uneasy. We don't want to weaken your security, and mounting nosuid is a prudent measure when possible. This issue has come up before, but never been run to ground. Alternatives to disabling domain transitions upon nosuid would be: - introduce our own separate mount option for this purpose (notrans or similar). However, this would require the admin to be explicitly aware of SELinux, and he might not think of it when he wants to treat a filesystem as untrusted. - assume that the admin will always use a context mount when the filesystem is untrusted, thereby overriding any contexts on the filesystem with one that is not an entrypoint. - perform an associate check between the inode label and the superblock label upon d_instantiate and remap the inode to unlabeled if the association is not permitted, so that one can mount a filesystem with fscontext= and thereby prohibit privileged entrypoint types from being taken from it while still using other types from it. Should likely be added to the kernel todo list. > By the way, is there plans to ever add configuration options to the > selinux config file ? I believe it would be a natural way to specify > various selinux behavior in case like this one, where the policy > itself isn't concerned. In my particular situation I am forcing a > domain transition in order to isolate everything that is executed on > the mounted filesystem, in the same domain. An execution without > transition would be a greater security risk. Well, it could be controllable via a /selinux setting I suppose, and that could be initially set based on /etc/selinux/config. -- Stephen Smalley National Security Agency From elihusmails at gmail.com Thu Aug 9 13:43:22 2007 From: elihusmails at gmail.com (Mark) Date: Thu, 9 Aug 2007 09:43:22 -0400 Subject: SLIDE error Message-ID: <9f066ee90708090643o7e326871g9e51204d841a9146@mail.gmail.com> I have installed the latest version of SLIDE, and downloaded the latest reference policy (20070629). I open up eclipse and create a new policy module project. I then point Eclipse to the location where I unpacked the reference policy (refpolicy-20070629.tar.bz2 ). I then get the following error: Rules.modular:152: *** No enabled modules! modules.conf may need to be generated by using "make conf". Stop. Can anyone please tell me where I am going wrong? Thanks. -- ..Cheers Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From elihusmails at gmail.com Thu Aug 9 15:15:35 2007 From: elihusmails at gmail.com (Mark) Date: Thu, 9 Aug 2007 11:15:35 -0400 Subject: java error after installing reference policy Message-ID: <9f066ee90708090815t514eddf6k7d02903d806d7c6c@mail.gmail.com> I followed the instructions for installing the latest reference policy: http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy After rebooting, I get the following command when I run SLIDE: Java HotSpot(TM) Client VM warning: Attempt to allocate stack guard pages failed. Error occurred during initialization of VM Could not reserve enough space for code cache I then tried just running "java -version", and I get the same error message. I am running Sun's JDK version 1.6 update 2. -- ..Cheers Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Thu Aug 9 16:41:20 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 09 Aug 2007 12:41:20 -0400 Subject: java error after installing reference policy In-Reply-To: <9f066ee90708090815t514eddf6k7d02903d806d7c6c@mail.gmail.com> References: <9f066ee90708090815t514eddf6k7d02903d806d7c6c@mail.gmail.com> Message-ID: <1186677680.6916.589.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-08-09 at 11:15 -0400, Mark wrote: > I followed the instructions for installing the latest reference > policy: http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy Why? The stock Fedora policy is already refpolicy-based. What kind of policy did you build (build.conf settings)? > After rebooting, I get the following command when I run SLIDE: > > Java HotSpot(TM) Client VM warning: Attempt to allocate stack guard > pages failed. > Error occurred during initialization of VM > Could not reserve enough space for code cache > > I then tried just running "java -version", and I get the same error > message. > > I am running Sun's JDK version 1.6 update 2. Likely need to set booleans for execstack/execmem. Or make sure java runs in a domain that has those permissions. -- Stephen Smalley National Security Agency From elihusmails at gmail.com Thu Aug 9 17:34:56 2007 From: elihusmails at gmail.com (Mark) Date: Thu, 9 Aug 2007 13:34:56 -0400 Subject: java error after installing reference policy In-Reply-To: <1186677680.6916.589.camel@moss-spartans.epoch.ncsc.mil> References: <9f066ee90708090815t514eddf6k7d02903d806d7c6c@mail.gmail.com> <1186677680.6916.589.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <9f066ee90708091034x7981a572j3001830d3a8284a8@mail.gmail.com> The reason why I did this was to try different things in order to get the reference policy to compile in SLIDE. I posted a message to the mailing list about this. Sorry, I'm fairly new to SE Linux and am trying to learn it. "SE Linux by Example" is on the way :) On 8/9/07, Stephen Smalley wrote: > > On Thu, 2007-08-09 at 11:15 -0400, Mark wrote: > > I followed the instructions for installing the latest reference > > policy: http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy > > Why? The stock Fedora policy is already refpolicy-based. > What kind of policy did you build (build.conf settings)? > > > After rebooting, I get the following command when I run SLIDE: > > > > Java HotSpot(TM) Client VM warning: Attempt to allocate stack guard > > pages failed. > > Error occurred during initialization of VM > > Could not reserve enough space for code cache > > > > I then tried just running "java -version", and I get the same error > > message. > > > > I am running Sun's JDK version 1.6 update 2. > > Likely need to set booleans for execstack/execmem. Or make sure java > runs in a domain that has those permissions. > > -- > Stephen Smalley > National Security Agency > > -- ..Cheers Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From pedro.lamarao at mndfck.org Sun Aug 5 17:47:42 2007 From: pedro.lamarao at mndfck.org (=?UTF-8?B?UGVkcm8gTGFtYXLDo28=?=) Date: Sun, 05 Aug 2007 14:47:42 -0300 Subject: avc denied for /sbin/rpc.statd Message-ID: I got this today while updating an FC7 system. avc: denied { search } for comm="rpc.statd" dev=dm-0 egid=0 euid=0 exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="sbin" pid=7791 scontext=system_u:system_r:rpcd_t:s0 sgid=0 subj=system_u:system_r:rpcd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 avc: denied { search } for comm="rpc.statd" egid=0 euid=0 exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=7790 scontext=system_u:system_r:rpcd_t:s0 sgid=0 subj=system_u:system_r:rpcd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:sysctl_fs_t:s0 tty=(none) uid=0 -- Pedro Lamar?o From lshoujun at yahoo.com Fri Aug 10 02:36:03 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Thu, 9 Aug 2007 19:36:03 -0700 (PDT) Subject: Strict policy on FC6 and F7 Message-ID: <34135.81661.qm@web34808.mail.mud.yahoo.com> Hi, I'm still having problems compiling the local.te module. The problem i'm facing seems to be different from Hal's: -------------------- local.te:11:ERROR 'permission nlsms_relay is not defined for class netlink_audit_socket' at token ' ;' on line 80809: allow local_login_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1 --------------------- My local.te file looks like this: ------------- policy_module(local,1.0) require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown ge topt setopt write nlmsg_relay nlmsg_read create read }; } logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t) ------------- Seems like the problem is with logging_set_loginuid macro. I'm not sure how to solve this problem though. BTW here are some details on my environment: 1. I'm using the stock policy for FC7 2.6.4-8 2. I did the compilation while running in targeted mode (will it affect?) 3. The macro logging_set_loginuid is defined in the file policy-20070501.patch Here is an extract of how logging_set_loginuid is defined in the patch : +######################################## +## +## Set login uid +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_set_loginuid',` + gen_require(` + attribute can_set_loginuid; + attribute can_send_audit_msg; + ') + + typeattribute $1 can_set_loginuid, can_send_audit_msg; + + allow $1 self:capability audit_control; + allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay }; +') Hope it helps in solving the problem... Thanks, Louis ----- Original Message ---- From: shintaro_fujiwara To: Hal ; fedora-selinux-list at redhat.com; cpebenito at tresys.com Sent: Wednesday, August 8, 2007 5:55:49 PM Subject: Re: Strict policy on FC6 and F7 I think F7 strict policy is broken. Let's wait for a while until SELinux guys fix it. I decided to play with FC6 this time. 2007-08-08 (?) ? 14:43 -0700 ? Hal ????????: > Authentication failed again:( > but meanwhile I have checked firefox on strict policy on FC7 it does not work. > > --- shintaro_fujiwara wrote: > > > 2007-08-08 (???) ?? 13:32 -0700 ?? Hal ?????????????????: > > > Well > > > I manged to compile the module, but > > > it does not work for me. > > > Compiled,loaded,set enforcing and: "authentication failed" again. > > > > > > I do not know if I am stupid, but I can not get a long with this Selinux... > > > > > > > > Does this nodule work for you guys???? > > > > > > hal > > > > > > --- "Christopher J. PeBenito" wrote: > > > > > > > On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: > > > > > I have tryed with > > > > > logging_send_audit_msgs(local_login_t) > > > > > > > > > > But still: > > > > > [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile > > local.pp > > > > > Compiling strict local module > > > > > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > > > > > local.te:9:ERROR 'unknown class capability used in rule' at token ';' > > on > > > > line > > > > > 81105: > > > > > #line 9 > > > > > allow local_login_t self:capability audit_write; > > Because we did not write > > > > class capability { audit_write }; > > > > in require brace. > > > > write it and try again. > > Did you make it? > > > > > > As a matter of fact, I have another problem on strict policy. > > I ended up breaking F7 altogether eliminating libselinux with --nodeps. > > Now I'm trying to upgrade FC6 to F7. > > You can upgrade FC6 to F7, if you are tired of your process on F7. > > Do not stop trying strict policy.Never surrender. > > It's rewarding, and SELinux guys will guide you to the right place. > > > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > make: *** [tmp/local.mod] Error 1 > > > > > > > > > > I really have no idea what all this means. > > > > > there is nowhere "allow" in local.te. if it is in this macros at the > > end... > > > > > Do I need to install the policy source and edit it? > > > > > > > > It is in the interface. You need to change this: > > > > > > > > > > > module local 1.0; > > > > > > > > to this: > > > > > > > > policy_module(local,1.0) > > > > > > > > It will automatically require all of the kernel object classes. > > > > > > > > -- > > > > Chris PeBenito > > > > Tresys Technology, LLC > > > > (410) 290-1411 x150 > > > > > > > > > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > Luggage? GPS? Comic books? > > > Check out fitting gifts for grads at Yahoo! Search > > > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > ____________________________________________________________________________________ > Sick sense of humor? Visit Yahoo! TV's > Comedy with an Edge to see what's on, when. > http://tv.yahoo.com/collections/222 -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Fri Aug 10 12:04:49 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 10 Aug 2007 08:04:49 -0400 Subject: Strict policy on FC6 and F7 In-Reply-To: <34135.81661.qm@web34808.mail.mud.yahoo.com> References: <34135.81661.qm@web34808.mail.mud.yahoo.com> Message-ID: <1186747489.7233.26.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-08-09 at 19:36 -0700, Louis Lam wrote: > Hi, > > I'm still having problems compiling the local.te module. The problem > i'm facing seems to be different from Hal's: > > -------------------- > local.te:11:ERROR 'permission nlsms_relay is not defined for class > netlink_audit_socket' at token ' > ;' on line 80809: > allow local_login_t self:netlink_audit_socket { { create > { ioctl read getattr write setattr > append bind connect getopt setopt shutdown } } nlmsg_read > nlsms_relay }; Looks like a typo in the policy includes to me (nlsms_relay vs. nlmsg_relay). > #line 11 > /usr/bin/checkmodule: error(s) encountered while parsing > configuration > make: *** [tmp/local.mod] Error 1 > --------------------- > > My local.te file looks like this: > ------------- > policy_module(local,1.0) > > require { > > type local_login_t; > class netlink_audit_socket { append bind connect shutdown > ioctl getattr setattr shutdown ge > topt setopt write nlmsg_relay nlmsg_read create read }; > } > > > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > ------------- > > Seems like the problem is with logging_set_loginuid macro. I'm not > sure how to solve this problem though. > > BTW here are some details on my environment: > > 1. I'm using the stock policy for FC7 2.6.4-8 > 2. I did the compilation while running in targeted mode (will it > affect?) > 3. The macro logging_set_loginuid is defined in the file > policy-20070501.patch > > Here is an extract of how logging_set_loginuid is defined in the > patch : > > +######################################## > +## > +## Set login uid > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_set_loginuid',` > + gen_require(` > + attribute can_set_loginuid; > + attribute can_send_audit_msg; > + ') > + > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > + > + allow $1 self:capability audit_control; > + allow $1 self:netlink_audit_socket { create_socket_perms > nlmsg_read nlsms_relay }; > +') Looks like the typo is there, and that interface doesn't seem to be present in the upstream refpolicy. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Aug 10 15:16:12 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 10 Aug 2007 11:16:12 -0400 Subject: Strict policy on FC6 and F7 In-Reply-To: <1186610150.3108.26.camel@notepc.intrajp-yokosuka.co.jp> References: <753043.34611.qm@web32204.mail.mud.yahoo.com> <1186610150.3108.26.camel@notepc.intrajp-yokosuka.co.jp> Message-ID: <46BC813C.6080209@redhat.com> shintaro_fujiwara wrote: > I think F7 strict policy is broken. > Let's wait for a while until SELinux guys fix it. > I decided to play with FC6 this time. > > > 2007-08-08 (?) ? 14:43 -0700 ? Hal ????????: > >> Authentication failed again:( >> but meanwhile I have checked firefox on strict policy on FC7 it does not work. >> >> --- shintaro_fujiwara wrote: >> >> >>> 2007-08-08 (???) ?? 13:32 -0700 ?? Hal ?????????????????: >>> >>>> Well >>>> I manged to compile the module, but >>>> it does not work for me. >>>> Compiled,loaded,set enforcing and: "authentication failed" again. >>>> >>>> I do not know if I am stupid, but I can not get a long with this Selinux... >>>> >>>> Does this nodule work for you guys???? >>>> >>>> hal >>>> >>>> --- "Christopher J. PeBenito" wrote: >>>> >>>> >>>>> On Wed, 2007-08-08 at 12:39 -0700, Hal wrote: >>>>> >>>>>> I have tryed with >>>>>> logging_send_audit_msgs(local_login_t) >>>>>> >>>>>> But still: >>>>>> [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile >>>>>> >>> local.pp >>> >>>>>> Compiling strict local module >>>>>> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp >>>>>> local.te:9:ERROR 'unknown class capability used in rule' at token ';' >>>>>> >>> on >>> >>>>> line >>>>> >>>>>> 81105: >>>>>> #line 9 >>>>>> allow local_login_t self:capability audit_write; >>>>>> >>> Because we did not write >>> >>> class capability { audit_write }; >>> >>> in require brace. >>> >>> write it and try again. >>> Did you make it? >>> >>> >>> As a matter of fact, I have another problem on strict policy. >>> I ended up breaking F7 altogether eliminating libselinux with --nodeps. >>> Now I'm trying to upgrade FC6 to F7. >>> You can upgrade FC6 to F7, if you are tired of your process on F7. >>> Do not stop trying strict policy.Never surrender. >>> It's rewarding, and SELinux guys will guide you to the right place. >>> >>> >>> >>>>>> /usr/bin/checkmodule: error(s) encountered while parsing configuration >>>>>> make: *** [tmp/local.mod] Error 1 >>>>>> >>>>>> I really have no idea what all this means. >>>>>> there is nowhere "allow" in local.te. if it is in this macros at the >>>>>> >>> end... >>> >>>>>> Do I need to install the policy source and edit it? >>>>>> >>>>> It is in the interface. You need to change this: >>>>> >>>>> >>>>>>>> module local 1.0; >>>>>>>> >>>>> to this: >>>>> >>>>> policy_module(local,1.0) >>>>> >>>>> It will automatically require all of the kernel object classes. >>>>> >>>>> -- >>>>> Chris PeBenito >>>>> Tresys Technology, LLC >>>>> (410) 290-1411 x150 >>>>> >>>>> >>>>> >>>> >>>> >>>> >> ____________________________________________________________________________________ >> >>>> Luggage? GPS? Comic books? >>>> Check out fitting gifts for grads at Yahoo! Search >>>> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>> >> >> >> ____________________________________________________________________________________ >> Sick sense of humor? Visit Yahoo! TV's >> Comedy with an Edge to see what's on, when. >> http://tv.yahoo.com/collections/222 >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I am not sure what is broken on Firefox on Strict policy as of Fedora 7. I have begun the merge of strict and targeted in rawhide Fedora Core 8/Test1. I have done some rewriting of the Mozilla/Firefox policy. There were several problems in the existing policy and several problems in the way the OS is designed. Mainly these dealt with the use of the /tmp file system by gnome. I have rewritten the mozilla policy to use one of three booleans. firefox no network access (r/only) Firefox with network access (R/O on homedir) Firefox with network access (r/w on homedir) firefox currently transitions form the user domain to userdoman_mozilla_t. So for example user_t - > user_mozilla_t. But I am allowing firefox to r/w user_tmp_t as well as user_mozilla_tmp_t. This allows firefox to interact with X sockets, gdm_files, iceauth files, orbitz files. Trying to lock this down does not work. So if you want to use a locked down firefox, I would recommend looking at Fedora 8 Test1, and setting up a xguest user. xguest users can only access the web via firefox and are totally locked down. From dwalsh at redhat.com Fri Aug 10 15:17:42 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 10 Aug 2007 11:17:42 -0400 Subject: Strict policy on FC6 and F7 In-Reply-To: <34135.81661.qm@web34808.mail.mud.yahoo.com> References: <34135.81661.qm@web34808.mail.mud.yahoo.com> Message-ID: <46BC8196.20304@redhat.com> Louis Lam wrote: > Hi, > > I'm still having problems compiling the local.te module. The problem > i'm facing seems to be different from Hal's: > > -------------------- > local.te:11:ERROR 'permission nlsms_relay is not defined for class > netlink_audit_socket' at token ' > ;' on line 80809: > allow local_login_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr > append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay }; > #line 11 > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/local.mod] Error 1 > --------------------- > > My local.te file looks like this: > ------------- > policy_module(local,1.0) > > require { > > type local_login_t; > class netlink_audit_socket { append bind connect shutdown > ioctl getattr setattr shutdown ge > topt setopt write nlmsg_relay nlmsg_read create read }; > } > > > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > ------------- > > Seems like the problem is with logging_set_loginuid macro. I'm not > sure how to solve this problem though. > > BTW here are some details on my environment: > > 1. I'm using the stock policy for FC7 2.6.4-8 > 2. I did the compilation while running in targeted mode (will it affect?) > 3. The macro logging_set_loginuid is defined in the file > policy-20070501.patch > > Here is an extract of how logging_set_loginuid is defined in the patch : > > +######################################## > +## > +## Set login uid > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_set_loginuid',` > + gen_require(` > + attribute can_set_loginuid; > + attribute can_send_audit_msg; > + ') > + > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > + > + allow $1 self:capability audit_control; > + allow $1 self:netlink_audit_socket { create_socket_perms > nlmsg_read nlsms_relay }; > +') > > Hope it helps in solving the problem... > > Thanks, > Louis I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy? From lshoujun at yahoo.com Sat Aug 11 01:00:13 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Fri, 10 Aug 2007 18:00:13 -0700 (PDT) Subject: Strict policy on FC6 and F7 Message-ID: <236794.61090.qm@web34808.mail.mud.yahoo.com> Hi Dan, I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm not too sure where to go and how to get the latest policy version. Do i take the latest policy version and remake the source RPM? Or are there pre-packaged rpms that I can use to upgrade? You didn't see this problem in RHEL 5? Do i need the local.te module if I use the "stock" RHEL 5? I tried switching to strict policy in RHEL 5 and cannot login with root. But I can log in as a normal user. Is it "normal" that this restriction be placed on root? Is the local.te trying to enable root login? Thanks, Louis ----- Original Message ---- From: Daniel J Walsh To: Louis Lam Cc: shintaro_fujiwara ; Hal ; fedora-selinux-list at redhat.com; cpebenito at tresys.com Sent: Friday, August 10, 2007 11:17:42 PM Subject: Re: Strict policy on FC6 and F7 Louis Lam wrote: > Hi, > > I'm still having problems compiling the local.te module. The problem > i'm facing seems to be different from Hal's: > > -------------------- > local.te:11:ERROR 'permission nlsms_relay is not defined for class > netlink_audit_socket' at token ' > ;' on line 80809: > allow local_login_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr > append bind connect getopt setopt shutdown } } nlmsg_read nlsms_relay }; > #line 11 > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/local.mod] Error 1 > --------------------- > > My local.te file looks like this: > ------------- > policy_module(local,1.0) > > require { > > type local_login_t; > class netlink_audit_socket { append bind connect shutdown > ioctl getattr setattr shutdown ge > topt setopt write nlmsg_relay nlmsg_read create read }; > } > > > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > ------------- > > Seems like the problem is with logging_set_loginuid macro. I'm not > sure how to solve this problem though. > > BTW here are some details on my environment: > > 1. I'm using the stock policy for FC7 2.6.4-8 > 2. I did the compilation while running in targeted mode (will it affect?) > 3. The macro logging_set_loginuid is defined in the file > policy-20070501.patch > > Here is an extract of how logging_set_loginuid is defined in the patch : > > +######################################## > +## > +## Set login uid > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_set_loginuid',` > + gen_require(` > + attribute can_set_loginuid; > + attribute can_send_audit_msg; > + ') > + > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > + > + allow $1 self:capability audit_control; > + allow $1 self:netlink_audit_socket { create_socket_perms > nlmsg_read nlsms_relay }; > +') > > Hope it helps in solving the problem... > > Thanks, > Louis I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are using the latest policy? Send instant messages to your online friends http://uk.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From wart at kobold.org Sat Aug 11 02:27:01 2007 From: wart at kobold.org (Wart) Date: Fri, 10 Aug 2007 19:27:01 -0700 Subject: failed to load policy Message-ID: <46BD1E75.60507@kobold.org> I've got a policy that I built according to the packaging guidelines[1] that has been working fine for me for FC6 and F7. But today when I rebuilt the package and installed on rawhide, semodule fails to load the module: # semodule -s targeted -i /usr/share/selinux/targeted/xpilotd.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! Has something changed in Rawhide that I need to reflect in the way I build/load the module, or should I file a bugzilla on this? --Wart [1]http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules From dwalsh at redhat.com Sat Aug 11 11:14:23 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 11 Aug 2007 07:14:23 -0400 Subject: avc denied for /sbin/rpc.statd In-Reply-To: References: Message-ID: <46BD9A0F.4070605@redhat.com> Pedro Lamar?o wrote: > I got this today while updating an FC7 system. > > avc: denied { search } for comm="rpc.statd" dev=dm-0 egid=0 euid=0 > exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="sbin" > pid=7791 scontext=system_u:system_r:rpcd_t:s0 sgid=0 > subj=system_u:system_r:rpcd_t:s0 suid=0 tclass=dir > tcontext=system_u:object_r:bin_t:s0 tty=(none) uid=0 > > avc: denied { search } for comm="rpc.statd" egid=0 euid=0 > exe="/sbin/rpc.statd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=7790 > scontext=system_u:system_r:rpcd_t:s0 sgid=0 > subj=system_u:system_r:rpcd_t:s0 suid=0 tclass=dir > tcontext=system_u:object_r:sysctl_fs_t:s0 tty=(none) uid=0 > > -- > Pedro Lamar?o > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Do you have the latest policy installed on your system 2.6.4-30 or later? From dwalsh at redhat.com Sat Aug 11 11:20:56 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 11 Aug 2007 07:20:56 -0400 Subject: failed to load policy In-Reply-To: <46BD1E75.60507@kobold.org> References: <46BD1E75.60507@kobold.org> Message-ID: <46BD9B98.4010206@redhat.com> Wart wrote: > I've got a policy that I built according to the packaging > guidelines[1] that has been working fine for me for FC6 and F7. But > today when I rebuilt the package and installed on rawhide, semodule > fails to load the module: > > # semodule -s targeted -i /usr/share/selinux/targeted/xpilotd.pp > libsepol.link_modules: Tried to link in a non-MLS module with an MLS > base. > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > Has something changed in Rawhide that I need to reflect in the way I > build/load the module, or should I file a bugzilla on this? > > --Wart > [1]http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes the Makefile has changed. It should be fixed in selinux-policy-3_0_5-6_fc8 If you replace /usr/share/selinux/devel/Makefile with the attached, you should be able to build your policy. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Makefile URL: From dwalsh at redhat.com Sat Aug 11 11:23:51 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 11 Aug 2007 07:23:51 -0400 Subject: beginner to SE Linux policy In-Reply-To: <9f066ee90708071056j74618a8akd860ef084f055243@mail.gmail.com> References: <9f066ee90707271204p2bfe6da7k4f8f50798c50c2e8@mail.gmail.com> <7b740b700707280714u72d59b83j3f6c3065d15e2b79@mail.gmail.com> <9f066ee90708071056j74618a8akd860ef084f055243@mail.gmail.com> Message-ID: <46BD9C47.6080407@redhat.com> Mark wrote: > Thanks for the help. I just want to become more familiar with SE > Linux and understand the context of the te, fe, if..etc files and how > I can modify them so that my programs are more secure. There just > seems to be alot of information that may or may not be related in > order to help me. For instance, there is the seedit tools, SLIDE and > RedHat tools available. Also, which is a better distribution to learn > SE Linux, CentOS or Fedora Core? > > I am an application developer who really just needs to learn how to > write policies for the programs I am developing. Things like > policies, domains and domain transition are important areas I really > want to learn. > > Thanks for the help. > > PS. I ordered the SE Linux by Example yesterday! > -- > ..Cheers > Mark You might want to try system-config-selinux/polgengui to build you a policy template. > > On 7/28/07, *shahbaz khan* > wrote: > > Mark > > Selinux by example is the best answer to ur stated problem. NSA > documents will give u a good background because things have been > changing alot. Do not miss tresys' reference policy and policy > managemnt server. U can get more info about it from tresys' > website. Once u start to get aquainted with selinux this mailing > list will be more useful to u. Also join fedora selinux mailing list. > > I am not sure which policy analysis tool will be more useful to u. > Why dont u right a more specific question to this list w.r.t. > policy analysis tools. U might get good answers from selinux by > example. > > Shaz. > > > > > On 7/28/07, *Mark* > wrote: > > I have seen programs that will help me to edit and analyze SE > Linux policies. What I am interested in is a resource that > will help me understand what a policy does and how to write > them. At least for me, learning at the code level and not > using GUI tools helps me to understand things better. > > So what resources are out there for me to start looking at? > > Thanks in advance. > Mark > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From jihene_tanneche at yahoo.fr Mon Aug 13 08:49:50 2007 From: jihene_tanneche at yahoo.fr (jihene tanneche) Date: Mon, 13 Aug 2007 08:49:50 +0000 (GMT) Subject: SElinux beginner Message-ID: <727458.53608.qm@web28112.mail.ukl.yahoo.com> Which is a better distribution to learn SE Linux, Mandriva or Fedora Core? Are they some problems with mandriva to compile SElinux or not? thanks in advance _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: From lshoujun at yahoo.com Mon Aug 13 09:41:15 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Mon, 13 Aug 2007 10:41:15 +0100 (BST) Subject: Strict policy on FC6 and F7 In-Reply-To: <1186747489.7233.26.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <244345.63574.qm@web34805.mail.mud.yahoo.com> Hi, I've fixed the typo problem on nlsms_relay. Now the module compiles ok, but I can't load it via semodule, i'm getting this error: semodule -vi local.pp libsepol.permission_copy_callback: Module local depends on permission nlsms_relay in class netlink_ audit_socket, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! My local.te looks like this now, ---------------------------- policy_module(local,1.0) require { type local_login_t; class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown ge topt setopt write nlsms_relay nlmsg_read create read }; } logging_send_audit_msg(local_login_t) logging_set_loginuid(local_login_t) ----------------------- I don't quite understand why there is a dependancy not satisfied. Thanks, Louis --- Stephen Smalley wrote: > On Thu, 2007-08-09 at 19:36 -0700, Louis Lam wrote: > > Hi, > > > > I'm still having problems compiling the local.te module. The problem > > i'm facing seems to be different from Hal's: > > > > -------------------- > > local.te:11:ERROR 'permission nlsms_relay is not defined for class > > netlink_audit_socket' at token ' > > ;' on line 80809: > > allow local_login_t self:netlink_audit_socket { { create > > { ioctl read getattr write setattr > > append bind connect getopt setopt shutdown } } nlmsg_read > > nlsms_relay }; > > Looks like a typo in the policy includes to me (nlsms_relay vs. > nlmsg_relay). > > > #line 11 > > /usr/bin/checkmodule: error(s) encountered while parsing > > configuration > > make: *** [tmp/local.mod] Error 1 > > --------------------- > > > > My local.te file looks like this: > > ------------- > > policy_module(local,1.0) > > > > require { > > > > type local_login_t; > > class netlink_audit_socket { append bind connect shutdown > > ioctl getattr setattr shutdown ge > > topt setopt write nlmsg_relay nlmsg_read create read }; > > } > > > > > > logging_send_audit_msg(local_login_t) > > logging_set_loginuid(local_login_t) > > > > ------------- > > > > Seems like the problem is with logging_set_loginuid macro. I'm not > > sure how to solve this problem though. > > > > BTW here are some details on my environment: > > > > 1. I'm using the stock policy for FC7 2.6.4-8 > > 2. I did the compilation while running in targeted mode (will it > > affect?) > > 3. The macro logging_set_loginuid is defined in the file > > policy-20070501.patch > > > > Here is an extract of how logging_set_loginuid is defined in the > > patch : > > > > +######################################## > > +## > > +## Set login uid > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`logging_set_loginuid',` > > + gen_require(` > > + attribute can_set_loginuid; > > + attribute can_send_audit_msg; > > + ') > > + > > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > > + > > + allow $1 self:capability audit_control; > > + allow $1 self:netlink_audit_socket { create_socket_perms > > nlmsg_read nlsms_relay }; > > +') > > Looks like the typo is there, and that interface doesn't seem to be > present in the upstream refpolicy. > > -- > Stephen Smalley > National Security Agency > > Send instant messages to your online friends http://uk.messenger.yahoo.com From dwalsh at redhat.com Mon Aug 13 11:29:29 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Aug 2007 07:29:29 -0400 Subject: Strict policy on FC6 and F7 In-Reply-To: <236794.61090.qm@web34808.mail.mud.yahoo.com> References: <236794.61090.qm@web34808.mail.mud.yahoo.com> Message-ID: <46C04099.1010104@redhat.com> Louis Lam wrote: > Hi Dan, > > I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm > not too sure where to go and how to get the latest policy version. Do > i take the latest policy version and remake the source RPM? Or are > there pre-packaged rpms that I can use to upgrade? > You should be able to simply do a yum update. > You didn't see this problem in RHEL 5? Do i need the local.te module > if I use the "stock" RHEL 5? I tried switching to strict policy in > RHEL 5 and cannot login with root. But I can log in as a normal user. > Is it "normal" that this restriction be placed on root? Is the > local.te trying to enable root login? No this sounds like either a bug or a labeling problem in RHEL5. You should be able to login as root. You might want to update to the U1 policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5 > > Thanks, > Louis > > ----- Original Message ---- > From: Daniel J Walsh > To: Louis Lam > Cc: shintaro_fujiwara ; Hal > ; fedora-selinux-list at redhat.com; cpebenito at tresys.com > Sent: Friday, August 10, 2007 11:17:42 PM > Subject: Re: Strict policy on FC6 and F7 > > Louis Lam wrote: > > Hi, > > > > I'm still having problems compiling the local.te module. The problem > > i'm facing seems to be different from Hal's: > > > > -------------------- > > local.te:11:ERROR 'permission nlsms_relay is not defined for class > > netlink_audit_socket' at token ' > > ;' on line 80809: > > allow local_login_t self:netlink_audit_socket { { create { > > ioctl read getattr write setattr > > append bind connect getopt setopt shutdown } } nlmsg_read > nlsms_relay }; > > #line 11 > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > make: *** [tmp/local.mod] Error 1 > > --------------------- > > > > My local.te file looks like this: > > ------------- > > policy_module(local,1.0) > > > > require { > > > > type local_login_t; > > class netlink_audit_socket { append bind connect shutdown > > ioctl getattr setattr shutdown ge > > topt setopt write nlmsg_relay nlmsg_read create read }; > > } > > > > > > logging_send_audit_msg(local_login_t) > > logging_set_loginuid(local_login_t) > > > > ------------- > > > > Seems like the problem is with logging_set_loginuid macro. I'm not > > sure how to solve this problem though. > > > > BTW here are some details on my environment: > > > > 1. I'm using the stock policy for FC7 2.6.4-8 > > 2. I did the compilation while running in targeted mode (will it > affect?) > > 3. The macro logging_set_loginuid is defined in the file > > policy-20070501.patch > > > > Here is an extract of how logging_set_loginuid is defined in the patch : > > > > +######################################## > > +## > > +## Set login uid > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`logging_set_loginuid',` > > + gen_require(` > > + attribute can_set_loginuid; > > + attribute can_send_audit_msg; > > + ') > > + > > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > > + > > + allow $1 self:capability audit_control; > > + allow $1 self:netlink_audit_socket { create_socket_perms > > nlmsg_read nlsms_relay }; > > +') > > > > Hope it helps in solving the problem... > > > > Thanks, > > Louis > I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are > using the latest policy? > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com From dwalsh at redhat.com Mon Aug 13 11:32:55 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Aug 2007 07:32:55 -0400 Subject: Strict policy on FC6 and F7 In-Reply-To: <244345.63574.qm@web34805.mail.mud.yahoo.com> References: <244345.63574.qm@web34805.mail.mud.yahoo.com> Message-ID: <46C04167.7040902@redhat.com> Louis Lam wrote: > Hi, > > I've fixed the typo problem on nlsms_relay. Now the module compiles ok, but I can't load it via > semodule, i'm getting this error: > > semodule -vi local.pp > > libsepol.permission_copy_callback: Module local depends on permission nlsms_relay in class > netlink_ > audit_socket, not satisfied > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > My local.te looks like this now, > > ---------------------------- > > policy_module(local,1.0) > > require { > > type local_login_t; > class netlink_audit_socket { append bind connect shutdown ioctl getattr setattr shutdown > ge > topt setopt write nlsms_relay nlmsg_read create read }; > } > should be nlmsg_relay NetLinkMeSsaGe :^) > logging_send_audit_msg(local_login_t) > logging_set_loginuid(local_login_t) > > ----------------------- > > I don't quite understand why there is a dependancy not satisfied. > > Thanks, > Louis > > --- Stephen Smalley wrote: > > >> On Thu, 2007-08-09 at 19:36 -0700, Louis Lam wrote: >> >>> Hi, >>> >>> I'm still having problems compiling the local.te module. The problem >>> i'm facing seems to be different from Hal's: >>> >>> -------------------- >>> local.te:11:ERROR 'permission nlsms_relay is not defined for class >>> netlink_audit_socket' at token ' >>> ;' on line 80809: >>> allow local_login_t self:netlink_audit_socket { { create >>> { ioctl read getattr write setattr >>> append bind connect getopt setopt shutdown } } nlmsg_read >>> nlsms_relay }; >>> >> Looks like a typo in the policy includes to me (nlsms_relay vs. >> nlmsg_relay). >> >> >>> #line 11 >>> /usr/bin/checkmodule: error(s) encountered while parsing >>> configuration >>> make: *** [tmp/local.mod] Error 1 >>> --------------------- >>> >>> My local.te file looks like this: >>> ------------- >>> policy_module(local,1.0) >>> >>> require { >>> >>> type local_login_t; >>> class netlink_audit_socket { append bind connect shutdown >>> ioctl getattr setattr shutdown ge >>> topt setopt write nlmsg_relay nlmsg_read create read }; >>> } >>> >>> >>> logging_send_audit_msg(local_login_t) >>> logging_set_loginuid(local_login_t) >>> >>> ------------- >>> >>> Seems like the problem is with logging_set_loginuid macro. I'm not >>> sure how to solve this problem though. >>> >>> BTW here are some details on my environment: >>> >>> 1. I'm using the stock policy for FC7 2.6.4-8 >>> 2. I did the compilation while running in targeted mode (will it >>> affect?) >>> 3. The macro logging_set_loginuid is defined in the file >>> policy-20070501.patch >>> >>> Here is an extract of how logging_set_loginuid is defined in the >>> patch : >>> >>> +######################################## >>> +## >>> +## Set login uid >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +# >>> +interface(`logging_set_loginuid',` >>> + gen_require(` >>> + attribute can_set_loginuid; >>> + attribute can_send_audit_msg; >>> + ') >>> + >>> + typeattribute $1 can_set_loginuid, can_send_audit_msg; >>> + >>> + allow $1 self:capability audit_control; >>> + allow $1 self:netlink_audit_socket { create_socket_perms >>> nlmsg_read nlsms_relay }; >>> >>> +') >>> >> Looks like the typo is there, and that interface doesn't seem to be >> present in the upstream refpolicy. >> >> -- >> Stephen Smalley >> National Security Agency >> >> >> > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From elihusmails at gmail.com Mon Aug 13 12:40:30 2007 From: elihusmails at gmail.com (Mark) Date: Mon, 13 Aug 2007 08:40:30 -0400 Subject: SElinux beginner In-Reply-To: <727458.53608.qm@web28112.mail.ukl.yahoo.com> References: <727458.53608.qm@web28112.mail.ukl.yahoo.com> Message-ID: <9f066ee90708130540v51a93d85ud7cd0d096f47c27d@mail.gmail.com> I am fairly new to SE Linux as well, and all indications I have received is that Fedora Core is the best distribution to use. -- ..Cheers Mark On 8/13/07, jihene tanneche wrote: > > Which is a better distribution to learn SE Linux, Mandriva or Fedora > Core? > Are they some problems with mandriva to compile SElinux or not? > thanks in advance > > ------------------------------ > Ne gardez plus qu'une seule adresse mail ! Copiez vos mailsvers Yahoo! Mail > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jihene_tanneche at yahoo.fr Mon Aug 13 13:13:47 2007 From: jihene_tanneche at yahoo.fr (jihene tanneche) Date: Mon, 13 Aug 2007 13:13:47 +0000 (GMT) Subject: SElinux beginner Message-ID: <110455.85083.qm@web28114.mail.ukl.yahoo.com> thanks mark, have you ever write some policies and test them? ----- Message d'origine ---- De : Mark ? : jihene tanneche Cc : fedora-selinux-list at redhat.com Envoy? le : Lundi, 13 Ao?t 2007, 14h40mn 30s Objet : Re: SElinux beginner I am fairly new to SE Linux as well, and all indications I have received is that Fedora Core is the best distribution to use. -- ..Cheers Mark On 8/13/07, jihene tanneche wrote: Which is a better distribution to learn SE Linux, Mandriva or Fedora Core? Are they some problems with mandriva to compile SElinux or not? thanks in advance Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list ______________________________________________________________________________ Stockage illimit? de vos mails avec Yahoo! Mail. Changez aujourd'hui de mail ! -------------- next part -------------- An HTML attachment was scrubbed... URL: From elihusmails at gmail.com Mon Aug 13 13:32:52 2007 From: elihusmails at gmail.com (Mark) Date: Mon, 13 Aug 2007 09:32:52 -0400 Subject: SElinux beginner In-Reply-To: <110455.85083.qm@web28114.mail.ukl.yahoo.com> References: <110455.85083.qm@web28114.mail.ukl.yahoo.com> Message-ID: <9f066ee90708130632n1a40ad5dgc0a2755edee50768@mail.gmail.com> yes. Just reading various tutorials and using the policygentool. I ordered the book "SE Linux by Example" since many people on this list have suggested that it is a great resource. -- ..Cheers Mark On 8/13/07, jihene tanneche wrote: > > thanks mark, have you ever write some policies and test them? > > ----- Message d'origine ---- > De : Mark > ? : jihene tanneche > Cc : fedora-selinux-list at redhat.com > Envoy? le : Lundi, 13 Ao?t 2007, 14h40mn 30s > Objet : Re: SElinux beginner > > I am fairly new to SE Linux as well, and all indications I have received > is that Fedora Core is the best distribution to use. > > -- > ..Cheers > Mark > > On 8/13/07, jihene tanneche wrote: > > > > Which is a better distribution to learn SE Linux, Mandriva or Fedora > > Core? > > Are they some problems with mandriva to compile SElinux or not? > > thanks in advance > > > > ------------------------------ > > Ne gardez plus qu'une seule adresse mail ! Copiez vos mailsvers Yahoo! Mail > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > ------------------------------ > Stockage illimit? de vos mails avec Yahoo! Mail. Changez aujourd'hui de > mail ! > -------------- next part -------------- An HTML attachment was scrubbed... URL: From temlakos at gmail.com Mon Aug 13 15:37:58 2007 From: temlakos at gmail.com (Temlakos) Date: Mon, 13 Aug 2007 11:37:58 -0400 Subject: Freeciv 2.0.8 Message-ID: <46C07AD6.2050902@gmail.com> Everyone: Would SELinux interfere with Freeciv? Freeciv works in single-player mode primarily by starting its own server process and connecting to it. But when I try to start a Freeciv client, I get this message: > Starting server... > Couldn't connect to the server. > We probably couldn't start it from here. > You'll have to start one manually. Sorry.... Then when I /do/ try to start a Freeciv server manually, and load a game, I can't connect. When I try to use Freeciv's client to "connect to a network game"--well, I see a few games out on the Internet, but /none/ in my "Local Area Network." When I run Freeciv on a Windows box--no problem at all. What might be the issue? Actually, I tried disabling SELinux, and then running Freeciv right away. No joy. (Whenever I process updates to selinux-policy and selinux-policy-targeted, I always disable SELinux, process the update, re-enforce SELinux, and restart the system for relabeling.) It's either some obscure element of SELinux, or it's the kernel. I don't even know how to go about diagnosing it. I would appreciate any suggestion. I know it's "just a game," but anything that interferes with a game, might also interfere with a business or professional application that I might try to develop, that needs to do something similar. Temlakos From bruno at wolff.to Mon Aug 13 16:19:19 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 13 Aug 2007 11:19:19 -0500 Subject: Freeciv 2.0.8 In-Reply-To: <46C07AD6.2050902@gmail.com> References: <46C07AD6.2050902@gmail.com> Message-ID: <20070813161919.GA6060@wolff.to> On Mon, Aug 13, 2007 at 11:37:58 -0400, Temlakos wrote: > Everyone: > > Would SELinux interfere with Freeciv? > > Freeciv works in single-player mode primarily by starting its own server > process and connecting to it. But when I try to start a Freeciv client, > I get this message: In theory it could, but it seems unlikely that targeted policy would interfere when you are starting it from the desktop. > >Starting server... > >Couldn't connect to the server. > >We probably couldn't start it from here. > >You'll have to start one manually. Sorry.... What do your logs say? You can see if there were any AVC denials from selinux. Also, freeciv might have its own logging that could tell you more about what is going wrong. Firewall logs most likely end up in /var/log/messages and would be good to check as well. > Then when I /do/ try to start a Freeciv server manually, and load a > game, I can't connect. When I try to use Freeciv's client to "connect to > a network game"--well, I see a few games out on the Internet, but /none/ > in my "Local Area Network." This makes me think that firewall rules are a possible culprit. From temlakos at gmail.com Mon Aug 13 18:13:39 2007 From: temlakos at gmail.com (Temlakos) Date: Mon, 13 Aug 2007 14:13:39 -0400 Subject: Freeciv 2.0.8 In-Reply-To: <20070813161919.GA6060@wolff.to> References: <46C07AD6.2050902@gmail.com> <20070813161919.GA6060@wolff.to> Message-ID: <46C09F53.8020005@gmail.com> Bruno Wolff III wrote: > On Mon, Aug 13, 2007 at 11:37:58 -0400, > Temlakos wrote: > >> Everyone: >> >> Would SELinux interfere with Freeciv? >> >> Freeciv works in single-player mode primarily by starting its own server >> process and connecting to it. But when I try to start a Freeciv client, >> I get this message: >> > > In theory it could, but it seems unlikely that targeted policy would > interfere when you are starting it from the desktop. > > >>> Starting server... >>> Couldn't connect to the server. >>> We probably couldn't start it from here. >>> You'll have to start one manually. Sorry.... >>> > > What do your logs say? > You can see if there were any AVC denials from selinux. Also, freeciv > might have its own logging that could tell you more about what is going > wrong. > Firewall logs most likely end up in /var/log/messages and would be good to > check as well. > > >> Then when I /do/ try to start a Freeciv server manually, and load a >> game, I can't connect. When I try to use Freeciv's client to "connect to >> a network game"--well, I see a few games out on the Internet, but /none/ >> in my "Local Area Network." >> > > This makes me think that firewall rules are a possible culprit. > > All right, here are my firewall rules: > # Firewall configuration written by system-config-securitylevel > # Manual customization of this file is not recommended. > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5555 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5555 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5432 > -j ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT The logs say nothing about the programs civclient or civserver, nor do I see anything in the logs referable to a mishap at the time I tried to start those applications. What line should I add, to grant to my system the necessary permissions? Temlakos From bruno at wolff.to Mon Aug 13 19:09:40 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 13 Aug 2007 14:09:40 -0500 Subject: Freeciv 2.0.8 In-Reply-To: <46C09F53.8020005@gmail.com> References: <46C07AD6.2050902@gmail.com> <20070813161919.GA6060@wolff.to> <46C09F53.8020005@gmail.com> Message-ID: <20070813190940.GA18711@wolff.to> On Mon, Aug 13, 2007 at 14:13:39 -0400, Temlakos wrote: > >This makes me think that firewall rules are a possible culprit. > > > > > All right, here are my firewall rules: iptables -L is another way to get the firewall rules that shows what they really are. What you have is what they are supposed to be. While they are probably the same (though iptables output format is different) it is possible for them to be different. > ># Firewall configuration written by system-config-securitylevel > ># Manual customization of this file is not recommended. > >*filter > >:INPUT ACCEPT [0:0] > >:FORWARD ACCEPT [0:0] > >:OUTPUT ACCEPT [0:0] > >:RH-Firewall-1-INPUT - [0:0] > >-A INPUT -j RH-Firewall-1-INPUT > >-A FORWARD -j RH-Firewall-1-INPUT > >-A RH-Firewall-1-INPUT -i lo -j ACCEPT > >-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > >-A RH-Firewall-1-INPUT -p 50 -j ACCEPT > >-A RH-Firewall-1-INPUT -p 51 -j ACCEPT > >-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > >-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > >-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5555 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5555 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5432 > >-j ACCEPT > >-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > >COMMIT I don't see anything in here that is interface specific except the rule to accept all traffic on lo. The only IP specific address is in the multicast range so that shouldn't be a problem. This makes the firewall being the problem scenario seem a lot less likely. > The logs say nothing about the programs civclient or civserver, nor do I > see anything in the logs referable to a mishap at the time I tried to > start those applications. There wouldn't be program names. There would be information from the contents of the packets being logged such a IP address on ports. > What line should I add, to grant to my system the necessary permissions? For a quick test of the firewall, you could disable it (preferably while your local network is disconnected from the internet) and see if it helps. You help locating freeciv log information, you could look at the documentation for it, searching with google or asking on whatever support sources exist for the project. From tonynelson at georgeanelson.com Mon Aug 13 22:09:42 2007 From: tonynelson at georgeanelson.com (Tony Nelson) Date: Mon, 13 Aug 2007 18:09:42 -0400 Subject: Freeciv 2.0.8 In-Reply-To: <20070813190940.GA18711@wolff.to> References: <46C07AD6.2050902@gmail.com> <20070813161919.GA6060@wolff.to> <46C09F53.8020005@gmail.com> <20070813190940.GA18711@wolff.to> Message-ID: At 2:09 PM -0500 8/13/07, Bruno Wolff III wrote: >On Mon, Aug 13, 2007 at 14:13:39 -0400, > Temlakos wrote: >> >This makes me think that firewall rules are a possible culprit. >> > >> > >> All right, here are my firewall rules: > >iptables -L is another way to get the firewall rules that shows what they >really are. What you have is what they are supposed to be. While they >are probably the same (though iptables output format is different) >it is possible for them to be different. I like `iptables -vL` so I can tell the difference between the localhost rules and the rest. It also lists the traffic, which is useful in finding out what rules are getting triggered when something isn't quite right. tcpdump is also useful; even if you don't understand all of it you may see the port you need open. Please don't word-wrap the `iptables -vL` output in the email -- it makes it hard to read. -- ____________________________________________________________________ TonyN.:' ' From temlakos at gmail.com Mon Aug 13 22:48:31 2007 From: temlakos at gmail.com (Temlakos) Date: Mon, 13 Aug 2007 18:48:31 -0400 Subject: Freeciv 2.0.8 In-Reply-To: References: <46C07AD6.2050902@gmail.com> <20070813161919.GA6060@wolff.to> <46C09F53.8020005@gmail.com> <20070813190940.GA18711@wolff.to> Message-ID: <46C0DFBF.9050302@gmail.com> Tony Nelson wrote: > At 2:09 PM -0500 8/13/07, Bruno Wolff III wrote: > >> On Mon, Aug 13, 2007 at 14:13:39 -0400, >> Temlakos wrote: >> >>>> This makes me think that firewall rules are a possible culprit. >>>> >>>> >>>> >>> All right, here are my firewall rules: >>> >> iptables -L is another way to get the firewall rules that shows what they >> really are. What you have is what they are supposed to be. While they >> are probably the same (though iptables output format is different) >> it is possible for them to be different. >> > > I like `iptables -vL` so I can tell the difference between the localhost > rules and the rest. It also lists the traffic, which is useful in finding > out what rules are getting triggered when something isn't quite right. > tcpdump is also useful; even if you don't understand all of it you may see > the port you need open. > > Please don't word-wrap the `iptables -vL` output in the email -- it makes > it hard to read. > Had to do som trial-and-error--turns out that "iptables" is an sbin command. My "path" doesn't have it. Herewith the output of '# sbin/iptables -vL': > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 28171 22M RH-Firewall-1-INPUT all -- any any > anywhere anywhere > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 RH-Firewall-1-INPUT all -- any any > anywhere anywhere > > Chain OUTPUT (policy ACCEPT 26383 packets, 8286K bytes) > pkts bytes target prot opt in out source > destination > > Chain RH-Firewall-1-INPUT (2 references) > pkts bytes target prot opt in out source > destination > 1412 4273K ACCEPT all -- lo any anywhere > anywhere > 17 1020 ACCEPT icmp -- any any anywhere > anywhere icmp any > 0 0 ACCEPT esp -- any any anywhere > anywhere > 0 0 ACCEPT ah -- any any anywhere > anywhere > 18 3185 ACCEPT udp -- any any anywhere > 224.0.0.251 udp dpt:mdns > 0 0 ACCEPT udp -- any any anywhere > anywhere udp dpt:ipp > 0 0 ACCEPT tcp -- any any anywhere > anywhere tcp dpt:ipp > 26379 18M ACCEPT all -- any any anywhere > anywhere state RELATED,ESTABLISHED > 0 0 ACCEPT tcp -- any any anywhere > anywhere state NEW tcp dpt:ssh > 95 8202 ACCEPT udp -- any any anywhere > anywhere state NEW udp dpt:netbios-ns > 164 39405 ACCEPT udp -- any any anywhere > anywhere state NEW udp dpt:netbios-dgm > 34 1632 ACCEPT tcp -- any any anywhere > anywhere state NEW tcp dpt:netbios-ssn > 1 48 ACCEPT tcp -- any any anywhere > anywhere state NEW tcp dpt:microsoft-ds > 0 0 ACCEPT tcp -- any any anywhere > anywhere state NEW tcp dpt:personal-agent > 0 0 ACCEPT udp -- any any anywhere > anywhere state NEW udp dpt:personal-agent > 0 0 ACCEPT tcp -- any any anywhere > anywhere state NEW tcp dpt:postgres > 0 0 ACCEPT udp -- any any anywhere > anywhere state NEW udp dpt:postgres > 51 4360 REJECT all -- any any anywhere > anywhere reject-with icmp-host-prohibited Temlakos From temlakos at gmail.com Mon Aug 13 22:50:18 2007 From: temlakos at gmail.com (Temlakos) Date: Mon, 13 Aug 2007 18:50:18 -0400 Subject: Freeciv 2.0.8 In-Reply-To: References: <46C07AD6.2050902@gmail.com> <20070813161919.GA6060@wolff.to> <46C09F53.8020005@gmail.com> <20070813190940.GA18711@wolff.to> Message-ID: <46C0E02A.5050300@gmail.com> Tony Nelson wrote: > At 2:09 PM -0500 8/13/07, Bruno Wolff III wrote: > >> On Mon, Aug 13, 2007 at 14:13:39 -0400, >> Temlakos wrote: >> >>>> This makes me think that firewall rules are a possible culprit. >>>> >>>> >>>> >>> All right, here are my firewall rules: >>> >> iptables -L is another way to get the firewall rules that shows what they >> really are. What you have is what they are supposed to be. While they >> are probably the same (though iptables output format is different) >> it is possible for them to be different. >> > > I like `iptables -vL` so I can tell the difference between the localhost > rules and the rest. It also lists the traffic, which is useful in finding > out what rules are getting triggered when something isn't quite right. > tcpdump is also useful; even if you don't understand all of it you may see > the port you need open. > > Please don't word-wrap the `iptables -vL` output in the email -- it makes > it hard to read. > All right, I'll try that again: Below is the output of '# sbin/iptables -vL' on my system: ]# /sbin/iptables -vL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28171 22M RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 26383 packets, 8286K bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 1412 4273K ACCEPT all -- lo any anywhere anywhere 17 1020 ACCEPT icmp -- any any anywhere anywhere icmp any 0 0 ACCEPT esp -- any any anywhere anywhere 0 0 ACCEPT ah -- any any anywhere anywhere 18 3185 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp 26379 18M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 95 8202 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 164 39405 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 34 1632 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:netbios-ssn 1 48 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:personal-agent 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:personal-agent 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:postgres 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:postgres 51 4360 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited From lshoujun at yahoo.com Tue Aug 14 09:35:07 2007 From: lshoujun at yahoo.com (Louis Lam) Date: Tue, 14 Aug 2007 10:35:07 +0100 (BST) Subject: Strict policy on FC6 and F7 In-Reply-To: <46C04099.1010104@redhat.com> Message-ID: <414980.45368.qm@web34809.mail.mud.yahoo.com> Hi Dan, For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the following rpms selinux-policy selinux-policy-devel selinux-policy-targeted selinux-policy-strict But I left the libselinux libraries alone since the rpm upgrade went through without complains. I can't use YUM because my system is not directly connected to the internet. But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login. Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well? Thanks, Louis --- Daniel J Walsh wrote: > Louis Lam wrote: > > Hi Dan, > > > > I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm > > not too sure where to go and how to get the latest policy version. Do > > i take the latest policy version and remake the source RPM? Or are > > there pre-packaged rpms that I can use to upgrade? > > > You should be able to simply do a yum update. > > You didn't see this problem in RHEL 5? Do i need the local.te module > > if I use the "stock" RHEL 5? I tried switching to strict policy in > > RHEL 5 and cannot login with root. But I can log in as a normal user. > > Is it "normal" that this restriction be placed on root? Is the > > local.te trying to enable root login? > No this sounds like either a bug or a labeling problem in RHEL5. You > should be able to login as root. You might want to update to the U1 > policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5 > > > > Thanks, > > Louis > > > > ----- Original Message ---- > > From: Daniel J Walsh > > To: Louis Lam > > Cc: shintaro_fujiwara ; Hal > > ; fedora-selinux-list at redhat.com; cpebenito at tresys.com > > Sent: Friday, August 10, 2007 11:17:42 PM > > Subject: Re: Strict policy on FC6 and F7 > > > > Louis Lam wrote: > > > Hi, > > > > > > I'm still having problems compiling the local.te module. The problem > > > i'm facing seems to be different from Hal's: > > > > > > -------------------- > > > local.te:11:ERROR 'permission nlsms_relay is not defined for class > > > netlink_audit_socket' at token ' > > > ;' on line 80809: > > > allow local_login_t self:netlink_audit_socket { { create { > > > ioctl read getattr write setattr > > > append bind connect getopt setopt shutdown } } nlmsg_read > > nlsms_relay }; > > > #line 11 > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > make: *** [tmp/local.mod] Error 1 > > > --------------------- > > > > > > My local.te file looks like this: > > > ------------- > > > policy_module(local,1.0) > > > > > > require { > > > > > > type local_login_t; > > > class netlink_audit_socket { append bind connect shutdown > > > ioctl getattr setattr shutdown ge > > > topt setopt write nlmsg_relay nlmsg_read create read }; > > > } > > > > > > > > > logging_send_audit_msg(local_login_t) > > > logging_set_loginuid(local_login_t) > > > > > > ------------- > > > > > > Seems like the problem is with logging_set_loginuid macro. I'm not > > > sure how to solve this problem though. > > > > > > BTW here are some details on my environment: > > > > > > 1. I'm using the stock policy for FC7 2.6.4-8 > > > 2. I did the compilation while running in targeted mode (will it > > affect?) > > > 3. The macro logging_set_loginuid is defined in the file > > > policy-20070501.patch > > > > > > Here is an extract of how logging_set_loginuid is defined in the patch : > > > > > > +######################################## > > > +## > > > +## Set login uid > > > +## > > > +## > > > +## > > > +## Domain allowed access. > > > +## > > > +## > > > +# > > > +interface(`logging_set_loginuid',` > > > + gen_require(` > > > + attribute can_set_loginuid; > > > + attribute can_send_audit_msg; > > > + ') > > > + > > > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > > > + > > > + allow $1 self:capability audit_control; > > > + allow $1 self:netlink_audit_socket { create_socket_perms > > > nlmsg_read nlsms_relay }; > > > +') > > > > > > Hope it helps in solving the problem... > > > > > > Thanks, > > > Louis > > I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are > > using the latest policy? > > > > > > Send instant messages to your online friends > > http://uk.messenger.yahoo.com > > Send instant messages to your online friends http://uk.messenger.yahoo.com From hal_bg at yahoo.com Tue Aug 14 10:10:34 2007 From: hal_bg at yahoo.com (Hal) Date: Tue, 14 Aug 2007 03:10:34 -0700 (PDT) Subject: Strict policy on FC6 and F7 In-Reply-To: <414980.45368.qm@web34809.mail.mud.yahoo.com> Message-ID: <163308.95369.qm@web32210.mail.mud.yahoo.com> Hi Louis, do not loose your time with login.te module. It does not work, or at least it does not allow login. I could not fix the problem for myself but managed to find that my initial problem with firefox is still not solved in f7 even with the latest policy. So I am still looking for a solution of the firefox problem. regards Hal --- Louis Lam wrote: > Hi Dan, > > For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've > updated only the > following rpms > > selinux-policy > selinux-policy-devel > selinux-policy-targeted > selinux-policy-strict > > But I left the libselinux libraries alone since the rpm upgrade went through > without complains. I > can't use YUM because my system is not directly connected to the internet. > > But I'm still faced with the problem of not being able to logon as root at > runlevel 5, gui login. > Do I still need the login.te module? Or is it advisable to upgrade the > selinux libraries as well? > > Thanks, > Louis > > --- Daniel J Walsh wrote: > > > Louis Lam wrote: > > > Hi Dan, > > > > > > I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm > > > not too sure where to go and how to get the latest policy version. Do > > > i take the latest policy version and remake the source RPM? Or are > > > there pre-packaged rpms that I can use to upgrade? > > > > > You should be able to simply do a yum update. > > > You didn't see this problem in RHEL 5? Do i need the local.te module > > > if I use the "stock" RHEL 5? I tried switching to strict policy in > > > RHEL 5 and cannot login with root. But I can log in as a normal user. > > > Is it "normal" that this restriction be placed on root? Is the > > > local.te trying to enable root login? > > No this sounds like either a bug or a labeling problem in RHEL5. You > > should be able to login as root. You might want to update to the U1 > > policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5 > > > > > > Thanks, > > > Louis > > > > > > ----- Original Message ---- > > > From: Daniel J Walsh > > > To: Louis Lam > > > Cc: shintaro_fujiwara ; Hal > > > ; fedora-selinux-list at redhat.com; cpebenito at tresys.com > > > Sent: Friday, August 10, 2007 11:17:42 PM > > > Subject: Re: Strict policy on FC6 and F7 > > > > > > Louis Lam wrote: > > > > Hi, > > > > > > > > I'm still having problems compiling the local.te module. The problem > > > > i'm facing seems to be different from Hal's: > > > > > > > > -------------------- > > > > local.te:11:ERROR 'permission nlsms_relay is not defined for class > > > > netlink_audit_socket' at token ' > > > > ;' on line 80809: > > > > allow local_login_t self:netlink_audit_socket { { create { > > > > ioctl read getattr write setattr > > > > append bind connect getopt setopt shutdown } } nlmsg_read > > > nlsms_relay }; > > > > #line 11 > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > make: *** [tmp/local.mod] Error 1 > > > > --------------------- > > > > > > > > My local.te file looks like this: > > > > ------------- > > > > policy_module(local,1.0) > > > > > > > > require { > > > > > > > > type local_login_t; > > > > class netlink_audit_socket { append bind connect shutdown > > > > ioctl getattr setattr shutdown ge > > > > topt setopt write nlmsg_relay nlmsg_read create read }; > > > > } > > > > > > > > > > > > logging_send_audit_msg(local_login_t) > > > > logging_set_loginuid(local_login_t) > > > > > > > > ------------- > > > > > > > > Seems like the problem is with logging_set_loginuid macro. I'm not > > > > sure how to solve this problem though. > > > > > > > > BTW here are some details on my environment: > > > > > > > > 1. I'm using the stock policy for FC7 2.6.4-8 > > > > 2. I did the compilation while running in targeted mode (will it > > > affect?) > > > > 3. The macro logging_set_loginuid is defined in the file > > > > policy-20070501.patch > > > > > > > > Here is an extract of how logging_set_loginuid is defined in the patch > : > > > > > > > > +######################################## > > > > +## > > > > +## Set login uid > > > > +## > > > > +## > > > > +## > > > > +## Domain allowed access. > > > > +## > > > > +## > > > > +# > > > > +interface(`logging_set_loginuid',` > > > > + gen_require(` > > > > + attribute can_set_loginuid; > > > > + attribute can_send_audit_msg; > > > > + ') > > > > + > > > > + typeattribute $1 can_set_loginuid, can_send_audit_msg; > > > > + > > > > + allow $1 self:capability audit_control; > > > > + allow $1 self:netlink_audit_socket { create_socket_perms > > > > nlmsg_read nlsms_relay }; > > > > +') > > > > > > > > Hope it helps in solving the problem... > > > > > > > > Thanks, > > > > Louis > > > I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are > > > using the latest policy? > > > > > > > > > Send instant messages to your online friends > > > http://uk.messenger.yahoo.com > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting From dwalsh at redhat.com Tue Aug 14 11:08:23 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 14 Aug 2007 07:08:23 -0400 Subject: SElinux beginner In-Reply-To: <9f066ee90708130632n1a40ad5dgc0a2755edee50768@mail.gmail.com> References: <110455.85083.qm@web28114.mail.ukl.yahoo.com> <9f066ee90708130632n1a40ad5dgc0a2755edee50768@mail.gmail.com> Message-ID: <46C18D27.3070009@redhat.com> Mark wrote: > yes. Just reading various tutorials and using the policygentool. I > ordered the book "SE Linux by Example" since many people on this list > have suggested that it is a great resource. > Please try out the newer version of this tool, in system-config-selinux, under the policy module section. Click new and a policy wizard will show up. > -- > ..Cheers > Mark > > On 8/13/07, *jihene tanneche* > wrote: > > thanks mark, have you ever write some policies and test them? > > ----- Message d'origine ---- > De : Mark < elihusmails at gmail.com > > ? : jihene tanneche > > Cc : fedora-selinux-list at redhat.com > > Envoy? le : Lundi, 13 Ao?t 2007, 14h40mn 30s > Objet : Re: SElinux beginner > > > I am fairly new to SE Linux as well, and all indications I have > received is that Fedora Core is the best distribution to use. > > -- > ..Cheers > Mark > > On 8/13/07, *jihene tanneche* < jihene_tanneche at yahoo.fr > > wrote: > > Which is a better distribution to learn SE Linux, Mandriva or > Fedora Core? > Are they some problems with mandriva to compile SElinux or not? > thanks in advance > > ------------------------------------------------------------------------ > Ne gardez plus qu'une seule adresse mail ! Copiez vos mails > vers Yahoo! Mail > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > ------------------------------------------------------------------------ > Stockage illimit? de vos mails avec Yahoo! Mail. Changez > aujourd'hui de mail ! > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From selinux at gmail.com Tue Aug 14 17:41:33 2007 From: selinux at gmail.com (Tom London) Date: Tue, 14 Aug 2007 10:41:33 -0700 Subject: cups AVC... Message-ID: <4c4ba1530708141041h64cc0a5fv3ba0773bac188869@mail.gmail.com> Running latest Rawhide, I get the following when configuring a printer inside of Cups web interface (localhost:631): type=AVC msg=audit(1187113075.195:823): avc: denied { getattr } for pid=20531 comm="hp" path="/usr/share/snmp/mibs/.index" dev=dm-0 ino=9240602 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1187113075.195:823): arch=40000003 syscall=195 success=yes exit=0 a0=bfef1ab8 a1=bfef179c a2=9e0ff4 a3=3a items=0 ppid=14556 pid=20531 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1187113075.195:824): avc: denied { read } for pid=20531 comm="hp" name=".index" dev=dm-0 ino=9240602 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1187113075.195:824): arch=40000003 syscall=5 success=yes exit=5 a0=bfef1ab8 a1=8000 a2=1b6 a3=87f6f30 items=0 ppid=14556 pid=20531 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) -- Tom London From spng.yang at gmail.com Wed Aug 15 10:59:44 2007 From: spng.yang at gmail.com (Ken YANG) Date: Wed, 15 Aug 2007 18:59:44 +0800 Subject: apache2 failing to start In-Reply-To: References: Message-ID: <46C2DCA0.30501@gmail.com> Ubaidul Khan wrote: > Ken, > > Thank you for your response. > >> you can first use execstack to check whether your program really need >> executable stack(you must have prelink firstly): > > I checked to see if the library requires executable stack and execstack > returns unknown(? - when it is unknown whether the object requires or > doesn't require exe-cutable stack). > > # execstack -q libclntsh.so.10.1 > ? libclntsh.so.10.1 sorry for reply late, i had just finished a business trip for more than 10 days. "?" is outputted, if your lib has not PT_GNU_STACK, and "-", if your lib need not to be exectuable. > > I don't think it was prelinked since these libraries are distributed by > oracle as binary files( all I did was downloaded the archive from > oracle's website and extracted them into > /opt/oracle/app/instant-client-10.1). Then I downloaded the > php-5.1.6-11 SRPM and linked against the oci libraries in the following > manner: > > configure \ > --with-oci8=instantclient,/opt/oracle/app/instant-client-10.1/ even if the libraries are distributed by third party, it will also be prelinked, because prelink is run in cron job. > >> i wonder why is your libraries usr_t, not lib_t, if your libs are >> lib_t, httpd_t can execute those files > > I think this happened because I made the directory path > /opt/oracle/app/instant-client-10.1/ as root. This path inherited the > default context. I imagine it would be more sensible to store the > libraries in /usr/lib or /usr/lib64. no, those should be labeled with lib_t, in fs with extended attribute support, the context will inherit from containing directory and creating process, if no corresponding transition policy. you can restorecon all files the package install > > I am still puzzled by the executable stack dilemma. I noticed this goes > away, when disable selinux(setenforce 0). you should never disable selinux, if you want to test your package, you can make selinux permissive, in which selinux will not prohibit anything and still generate audit messages. but your command is right, "setenforce 0" will make selinux in permissive mode. executable stack is normal, many programs need that, e.g. nested function. beside the methods i mentioned, you also can label your program with "unconfined_execmem_exec_t" to run: chcon -t unconfined_execmem_exec_t PROGRAM or runcon -c -t unconfined_execmem_exec_t PROGRAM ... > > Look forward to your correspondence. > >> From: Ken YANG >> To: Ubaidul Khan >> CC: fedora-selinux-list at redhat.com >> Subject: Re: apache2 failing to start >> Date: Fri, 03 Aug 2007 13:10:27 +0800 >> >> Ubaidul Khan wrote: >> > Hello, >> > >> > We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I >> > could link php with Oracle Instant Client Libraries(oci). OCI is >> > installed under /opt with the following contexts: >> > >> > # ls -lZ >> > drwxr-xr-x root root system_u:object_r:usr_t oracle >> > >> > [root at saleen_webvm1 instant-client-10.1]# pwd >> > /opt/oracle/app/instant-client-10.1 >> > [root at saleen_webvm1 instant-client-10.1]# ls -alZ >> > drwxr-xr-x root root system_u:object_r:usr_t . >> > drwxr-xr-x root root system_u:object_r:usr_t .. >> > -rw-r--r-- root root system_u:object_r:usr_t classes12.jar >> > drwxr-xr-x root root system_u:object_r:usr_t docs >> > -rw-r--r-- root root system_u:object_r:usr_t glogin.sql >> > lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so >> > -rwxr-xr-x root root system_u:object_r:usr_t >> libclntsh.so.10.1 >> > -rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so >> > lrwxrwxrwx root root system_u:object_r:usr_t libocci.so >> > -rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1 >> > -rwxr-xr-x root root system_u:object_r:usr_t libociei.so >> > -rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so >> > -rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so >> > -rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar >> > -rw-r--r-- root root system_u:object_r:usr_t README_IC.htm >> > drwxr-xr-x root root system_u:object_r:usr_t sdk >> > -rwxr-xr-x root root system_u:object_r:usr_t sqlplus >> > -rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora >> > >> > When try to start apache, I get some errors in audit.log and apache >> > fails to start. >> > >> > type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for >> > pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0 >> > tcontext=user_u:system_r:httpd_t:s0 tclass=process >> > type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10 >> > success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0 >> > ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" >> > subj=user_u:system_r:httpd_t:s0 key=(null) >> > type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for >> > pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819 >> > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 >> > tclass=file >> > type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9 >> > success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 >> > pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" >> > subj=user_u:system_r:httpd_t:s0 key=(null) >> > type=AVC_PATH msg=audit(1186088202.755:61): >> > path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1" >> > >> > audit2allow is telling me to add the following rules: >> > >> > # audit2allow < audit.log >> > allow httpd_t self:process execstack; >> > allow httpd_t usr_t:file execute; >> > >> > My question/concerns are the following: >> > >> > 1. What risks do I incur by making the process stack executable? >> >> it will incur the security risk, such as buffer overflow. >> Stack memory is not executable on most OSes these days, and >> will not change. >> >> you can first use execstack to check whether your program >> really need executable stack(you must have prelink firstly): >> >> for example: >> >> #execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2 >> X libart_lgpl_2.so.2 >> >> and use execstack to remove the p_flags field of PT_GNU_STACK header >> entry, and run program to see whether it really need stack to be >> executable: >> >> execstack -c libart_lgpl_2.so.2 >> >> if yes, you also can use boolean to allow stack to be executed: >> >> setsebool [-P] allow_execstack 1 >> >> this will make all program stack executable, and there are still: >> >> allow_java_execstack,allow_mplayer_execstack >> >> use these booleans, you will not need write policy for executable >> stack. >> >> >> > 2. If I am reading the second rule correctly, its asking to allow >> > httpd_t to execute user_t files? >> >> i wonder why is your libraries usr_t, not lib_t, if your libs are >> lib_t, httpd_t can execute those files >> >> > >> > Thanks for your help >> > >> > _________________________________________________________________ >> > Now you can see trouble…before he arrives >> > >> http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507 >> >> > >> > >> > -- >> > fedora-selinux-list mailing list >> > fedora-selinux-list at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > >> > > _________________________________________________________________ > Now you can see trouble?efore he arrives > http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507 > > > From dwalsh at redhat.com Wed Aug 15 11:02:27 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Aug 2007 07:02:27 -0400 Subject: cups AVC... In-Reply-To: <4c4ba1530708141041h64cc0a5fv3ba0773bac188869@mail.gmail.com> References: <4c4ba1530708141041h64cc0a5fv3ba0773bac188869@mail.gmail.com> Message-ID: <46C2DD43.6000407@redhat.com> Tom London wrote: > Running latest Rawhide, I get the following when configuring a printer > inside of Cups web interface (localhost:631): > > type=AVC msg=audit(1187113075.195:823): avc: denied { getattr } for > pid=20531 comm="hp" path="/usr/share/snmp/mibs/.index" dev=dm-0 > ino=9240602 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file > type=SYSCALL msg=audit(1187113075.195:823): arch=40000003 syscall=195 > success=yes exit=0 a0=bfef1ab8 a1=bfef179c a2=9e0ff4 a3=3a items=0 > ppid=14556 pid=20531 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 > sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1187113075.195:824): avc: denied { read } for > pid=20531 comm="hp" name=".index" dev=dm-0 ino=9240602 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file > type=SYSCALL msg=audit(1187113075.195:824): arch=40000003 syscall=5 > success=yes exit=5 a0=bfef1ab8 a1=8000 a2=1b6 a3=87f6f30 items=0 > ppid=14556 pid=20531 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 > sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp" > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > > > Any idea why the hp command would want to look at the snmp path="/usr/share/snmp/mibs/.index" Or is this a leaked file descriptor from somewhere? From dwalsh at redhat.com Wed Aug 15 11:05:28 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Aug 2007 07:05:28 -0400 Subject: Strict policy on FC6 and F7 In-Reply-To: <414980.45368.qm@web34809.mail.mud.yahoo.com> References: <414980.45368.qm@web34809.mail.mud.yahoo.com> Message-ID: <46C2DDF8.1080403@redhat.com> Louis Lam wrote: > Hi Dan, > > For RHEL5, I've upgraded the selinux policy rpms to version 2.4.6-79. I've updated only the > following rpms > > selinux-policy > selinux-policy-devel > selinux-policy-targeted > selinux-policy-strict > > But I left the libselinux libraries alone since the rpm upgrade went through without complains. I > can't use YUM because my system is not directly connected to the internet. > > But I'm still faced with the problem of not being able to logon as root at runlevel 5, gui login. > Do I still need the login.te module? Or is it advisable to upgrade the selinux libraries as well? > > What error are you seeing at the gui login? > Thanks, > Louis > > --- Daniel J Walsh wrote: > > >> Louis Lam wrote: >> >>> Hi Dan, >>> >>> I'm using the stock policy for FC7 2.6.4-8, not the latest policy. I'm >>> not too sure where to go and how to get the latest policy version. Do >>> i take the latest policy version and remake the source RPM? Or are >>> there pre-packaged rpms that I can use to upgrade? >>> >>> >> You should be able to simply do a yum update. >> >>> You didn't see this problem in RHEL 5? Do i need the local.te module >>> if I use the "stock" RHEL 5? I tried switching to strict policy in >>> RHEL 5 and cannot login with root. But I can log in as a normal user. >>> Is it "normal" that this restriction be placed on root? Is the >>> local.te trying to enable root login? >>> >> No this sounds like either a bug or a labeling problem in RHEL5. You >> should be able to login as root. You might want to update to the U1 >> policy which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5 >> >>> Thanks, >>> Louis >>> >>> ----- Original Message ---- >>> From: Daniel J Walsh >>> To: Louis Lam >>> Cc: shintaro_fujiwara ; Hal >>> ; fedora-selinux-list at redhat.com; cpebenito at tresys.com >>> Sent: Friday, August 10, 2007 11:17:42 PM >>> Subject: Re: Strict policy on FC6 and F7 >>> >>> Louis Lam wrote: >>> >>>> Hi, >>>> >>>> I'm still having problems compiling the local.te module. The problem >>>> i'm facing seems to be different from Hal's: >>>> >>>> -------------------- >>>> local.te:11:ERROR 'permission nlsms_relay is not defined for class >>>> netlink_audit_socket' at token ' >>>> ;' on line 80809: >>>> allow local_login_t self:netlink_audit_socket { { create { >>>> ioctl read getattr write setattr >>>> append bind connect getopt setopt shutdown } } nlmsg_read >>>> >>> nlsms_relay }; >>> >>>> #line 11 >>>> /usr/bin/checkmodule: error(s) encountered while parsing configuration >>>> make: *** [tmp/local.mod] Error 1 >>>> --------------------- >>>> >>>> My local.te file looks like this: >>>> ------------- >>>> policy_module(local,1.0) >>>> >>>> require { >>>> >>>> type local_login_t; >>>> class netlink_audit_socket { append bind connect shutdown >>>> ioctl getattr setattr shutdown ge >>>> topt setopt write nlmsg_relay nlmsg_read create read }; >>>> } >>>> >>>> >>>> logging_send_audit_msg(local_login_t) >>>> logging_set_loginuid(local_login_t) >>>> >>>> ------------- >>>> >>>> Seems like the problem is with logging_set_loginuid macro. I'm not >>>> sure how to solve this problem though. >>>> >>>> BTW here are some details on my environment: >>>> >>>> 1. I'm using the stock policy for FC7 2.6.4-8 >>>> 2. I did the compilation while running in targeted mode (will it >>>> >>> affect?) >>> >>>> 3. The macro logging_set_loginuid is defined in the file >>>> policy-20070501.patch >>>> >>>> Here is an extract of how logging_set_loginuid is defined in the patch : >>>> >>>> +######################################## >>>> +## >>>> +## Set login uid >>>> +## >>>> +## >>>> +## >>>> +## Domain allowed access. >>>> +## >>>> +## >>>> +# >>>> +interface(`logging_set_loginuid',` >>>> + gen_require(` >>>> + attribute can_set_loginuid; >>>> + attribute can_send_audit_msg; >>>> + ') >>>> + >>>> + typeattribute $1 can_set_loginuid, can_send_audit_msg; >>>> + >>>> + allow $1 self:capability audit_control; >>>> + allow $1 self:netlink_audit_socket { create_socket_perms >>>> nlmsg_read nlsms_relay }; >>>> +') >>>> >>>> Hope it helps in solving the problem... >>>> >>>> Thanks, >>>> Louis >>>> >>> I am not seeing this in RHEL5, FC6, F7 or F8. So are you sure you are >>> using the latest policy? >>> >>> >>> Send instant messages to your online friends >>> http://uk.messenger.yahoo.com >>> >> > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > From dwalsh at redhat.com Wed Aug 15 11:06:29 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Aug 2007 07:06:29 -0400 Subject: SElinux beginner In-Reply-To: <9f066ee90708130540v51a93d85ud7cd0d096f47c27d@mail.gmail.com> References: <727458.53608.qm@web28112.mail.ukl.yahoo.com> <9f066ee90708130540v51a93d85ud7cd0d096f47c27d@mail.gmail.com> Message-ID: <46C2DE35.7090402@redhat.com> Mark wrote: > I am fairly new to SE Linux as well, and all indications I have > received is that Fedora Core is the best distribution to use. You won't get an argument from me. :^) > > -- > ..Cheers > Mark > > On 8/13/07, *jihene tanneche* > wrote: > > Which is a better distribution to learn SE Linux, Mandriva or > Fedora Core? > Are they some problems with mandriva to compile SElinux or not? > thanks in advance > > ------------------------------------------------------------------------ > Ne gardez plus qu'une seule adresse mail ! Copiez vos mails > vers Yahoo! Mail > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From twaugh at redhat.com Wed Aug 15 11:08:42 2007 From: twaugh at redhat.com (Tim Waugh) Date: Wed, 15 Aug 2007 12:08:42 +0100 Subject: cups AVC... In-Reply-To: <46C2DD43.6000407@redhat.com> References: <4c4ba1530708141041h64cc0a5fv3ba0773bac188869@mail.gmail.com> <46C2DD43.6000407@redhat.com> Message-ID: <1187176122.5000.4.camel@cyberelk.elk> On Wed, 2007-08-15 at 07:02 -0400, Daniel J Walsh wrote: > Any idea why the hp command would want to look at the snmp > > path="/usr/share/snmp/mibs/.index" > > Or is this a leaked file descriptor from somewhere? HPLIP, in the form of the CUPS hp backend here, is capable of using SNMP to determine characteristics of networked printers. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From josh at globalherald.net Wed Aug 15 17:17:46 2007 From: josh at globalherald.net (Josh) Date: Wed, 15 Aug 2007 13:17:46 -0400 (EDT) Subject: How does 'login' change MCS Category Access? Message-ID: Hello, On page 509 of the RHEL manual, there's a note that states: "MCS category access is assigned during login." What is the mechanism that does this? How can I assign MCS Category Access to an arbitrary Python script that is run as a certain user from Crontab (without being 'logged in')? Thanks, -Josh From xyusun_kitty at yahoo.com.cn Thu Aug 16 03:02:07 2007 From: xyusun_kitty at yahoo.com.cn (dee kitty) Date: Thu, 16 Aug 2007 11:02:07 +0800 (CST) Subject: where can i find selinux policy sourcecode Message-ID: <989870.41900.qm@web15812.mail.cnb.yahoo.com> I want to learn how to configure the selinux policy, and i have installed fedora7, but I don't find TE configuration files mentioned in paper "configuring the selinux policy" in /etc/selinux. Then I find many selinux policys such as selinux reference policy and installed it . But I don't find many files mentioned in paper "configuring the selinux policy" also. How can i do? thank you very much __________________________________________________ ??????????????? http://cn.mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From elihusmails at gmail.com Thu Aug 16 03:13:09 2007 From: elihusmails at gmail.com (Mark) Date: Wed, 15 Aug 2007 23:13:09 -0400 Subject: where can i find selinux policy sourcecode In-Reply-To: <989870.41900.qm@web15812.mail.cnb.yahoo.com> References: <989870.41900.qm@web15812.mail.cnb.yahoo.com> Message-ID: <9f066ee90708152013x634c4c68nfce3c8e5be5b29b6@mail.gmail.com> http://oss.tresys.com/projects/refpolicy On 8/15/07, dee kitty wrote: > > I want to learn how to configure the selinux policy, and i have installed > fedora7, but I don't find TE configuration files mentioned in paper > "configuring the selinux policy" in /etc/selinux. Then I find many selinux > policys such as selinux reference policy and installed it . But I don't find > many files mentioned in paper "configuring the selinux policy" also. How can > i do? > thank you very much > > __________________________________________________ > ??????????????? > http://cn.mail.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- ..Cheers Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: From spng.yang at gmail.com Thu Aug 16 03:18:11 2007 From: spng.yang at gmail.com (Ken YANG) Date: Thu, 16 Aug 2007 11:18:11 +0800 Subject: where can i find selinux policy sourcecode In-Reply-To: <989870.41900.qm@web15812.mail.cnb.yahoo.com> References: <989870.41900.qm@web15812.mail.cnb.yahoo.com> Message-ID: <46C3C1F3.9070505@gmail.com> dee kitty wrote: > I want to learn how to configure the selinux policy, and i have installed fedora7, but I don't find TE configuration files mentioned in paper "configuring the selinux policy" in /etc/selinux. Then I find many selinux policys such as selinux reference policy and installed it . But I don't find many files mentioned in paper "configuring the selinux policy" also. How can i do? > thank you very much from refpolicy, there are not source policy in "/etc/selinux", if you want policy source, you can check the upstream policy from: svn co http://oss.tresys.com/repos/refpolicy/trunk refpolicy or down src rpm used in fedora, NOTE, there are some differences between these two. > > __________________________________________________ > ??????????????? > http://cn.mail.yahoo.com > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From xyusun_kitty at yahoo.com.cn Thu Aug 16 04:41:45 2007 From: xyusun_kitty at yahoo.com.cn (dee kitty) Date: Thu, 16 Aug 2007 12:41:45 +0800 (CST) Subject: meeting many warnings when install refpolicy Message-ID: <367067.33195.qm@web15804.mail.cnb.yahoo.com> I svn co http://oss.tresys.com/repos/refpolicy/trunk refpolicy,and install it. There are many warnings : warning "unrecongniced character"at token, when installing all *.te files. I feel refpolicy haven't been installed sucessfully. what should i do to deal with this problem? looking forward your immediate repay. thank you very much, __________________________________________________ ??????????????? http://cn.mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From spng.yang at gmail.com Thu Aug 16 10:03:56 2007 From: spng.yang at gmail.com (Ken YANG) Date: Thu, 16 Aug 2007 18:03:56 +0800 Subject: [RFC] policy about nas sound server In-Reply-To: <46B0CEF6.80008@redhat.com> References: <46AAFF45.1090909@gmail.com> <46B0CEF6.80008@redhat.com> Message-ID: <46C4210C.1050301@gmail.com> sorry for modify late, i just finished a business trip for over 10 days. i have modified soundserver policy module based on frank bugfix: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250453 the patch is based on selinux-policy-targeted-3.0.5-7.fc8.noarch -------------- next part -------------- A non-text attachment was scrubbed... Name: soundserver-3.0.5.patch Type: text/x-patch Size: 3330 bytes Desc: not available URL: From tibbs at math.uh.edu Fri Aug 17 06:44:57 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 17 Aug 2007 01:44:57 -0500 Subject: ldconfig denials on F7 Message-ID: I'm seeing a ton of the following denials when installing packages: audit(1187332559.271:77): avc: denied { use } for pid=3692 comm="ldconfig" name="console" dev=tmpfs ino=1143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd My specific situation may be odd. I kickstart a small system from a fully updated repo. Then when that system boots, /etc/rc.local calls a script which calls yum to install the rest of the system. Is it possible that this arrangement misses some essential domain transition? The selinux packages installed are: selinux-policy-2.6.4-33.fc7.noarch selinux-policy-targeted-2.6.4-33.fc7.noarch - J< From dwalsh at redhat.com Fri Aug 17 11:05:15 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 17 Aug 2007 07:05:15 -0400 Subject: ldconfig denials on F7 In-Reply-To: References: Message-ID: <46C580EB.4020307@redhat.com> Jason L Tibbitts III wrote: > I'm seeing a ton of the following denials when installing packages: > > audit(1187332559.271:77): avc: denied { use } for pid=3692 comm="ldconfig" name="console" dev=tmpfs ino=1143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd > > My specific situation may be odd. I kickstart a small system from a > fully updated repo. Then when that system boots, /etc/rc.local calls > a script which calls yum to install the rest of the system. Is it > possible that this arrangement misses some essential domain > transition? > > The selinux packages installed are: > selinux-policy-2.6.4-33.fc7.noarch > selinux-policy-targeted-2.6.4-33.fc7.noarch > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > This is probably not a problem. ldconfig gets passed an open file descriptor to the console device, which the kernel promptly closes when selinux sees that it does not have access. As long as ldconfig works, it can be dontaudited. Many domains currently use this interface. init_dontaudit_use_fds From selinux at gmail.com Fri Aug 17 18:41:46 2007 From: selinux at gmail.com (Tom London) Date: Fri, 17 Aug 2007 11:41:46 -0700 Subject: xdm_server_t wants urandom_device_t Message-ID: <4c4ba1530708171141s240ef486u4698801ea57065e3@mail.gmail.com> Latest Rawhide, targeted/enforcing. Get this early (right after cups 'label change' start up messages): type=AVC msg=audit(1187373560.608:18): avc: denied { read } for pid=3111 comm="sh" name="urandom" dev=tmpfs ino=2350 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1187373560.608:18): arch=40000003 syscall=5 success=no exit=-13 a0=80d2bc0 a1=8000 a2=0 a3=8000 items=0 ppid=3075 pid=3111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 comm="sh" exe="/bin/bash" subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null) -- Tom London From jihene_tanneche at yahoo.fr Mon Aug 20 14:37:25 2007 From: jihene_tanneche at yahoo.fr (jihene tanneche) Date: Mon, 20 Aug 2007 14:37:25 +0000 (GMT) Subject: SElinux beginner Message-ID: <102293.25873.qm@web28112.mail.ukl.yahoo.com> I want to compile selinux under kernel 2.6 independently of the linux's distribution, because later I will hold selinux to an embedded system, any help thanks ____________________________________________________________________________________________ D?couvrez le blog Yahoo! Mail : derni?res nouveaut?s, astuces, conseils.. et vos r?actions ! http://blog.mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From jihene_tanneche at yahoo.fr Mon Aug 20 15:37:22 2007 From: jihene_tanneche at yahoo.fr (jihene tanneche) Date: Mon, 20 Aug 2007 15:37:22 +0000 (GMT) Subject: Tr : SElinux beginner Message-ID: <525597.96814.qm@web28110.mail.ukl.yahoo.com> I want to compile selinux under kernel 2.6 independently of the linux's distribution, because later I will hold selinux to an embedded system with ARM9, any help thanks D?couvrez le blog Yahoo! Mail : derni?res nouveaut?s, astuces, conseils.. et vos r?actions ! ____________________________________________________________________________________________ D?couvrez le blog Yahoo! Mail : derni?res nouveaut?s, astuces, conseils.. et vos r?actions ! http://blog.mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From linux_4ever at yahoo.com Mon Aug 20 16:43:26 2007 From: linux_4ever at yahoo.com (Steve G) Date: Mon, 20 Aug 2007 09:43:26 -0700 (PDT) Subject: xdm_server_t wants urandom_device_t In-Reply-To: <4c4ba1530708171141s240ef486u4698801ea57065e3@mail.gmail.com> Message-ID: <925159.51891.qm@web51511.mail.re2.yahoo.com> >Latest Rawhide, targeted/enforcing. > >Get this early (right after cups 'label change' start up messages): This is likely caused by a new patch to bash to improve its random number generation. But, we are reworking the patch to do a lazy init of the random number generator, so we should probably hold off on amending policy for a few days for things that suddenly want urandom_device_t. It should get sorted out this week. -Steve ____________________________________________________________________________________ Got a little couch potato? Check out fun summer activities for kids. http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz From dwalsh at redhat.com Mon Aug 20 21:48:34 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Aug 2007 17:48:34 -0400 Subject: Tr : SElinux beginner In-Reply-To: <525597.96814.qm@web28110.mail.ukl.yahoo.com> References: <525597.96814.qm@web28110.mail.ukl.yahoo.com> Message-ID: <46CA0C32.3020504@redhat.com> jihene tanneche wrote: > > > I want to compile selinux under kernel 2.6 independently of the > linux's distribution, because later I will hold selinux to an embedded > system with ARM9, any help > thanks > > ------------------------------------------------------------------------ > D?couvrez le blog Yahoo! Mail : derni?res > nouveaut?s, astuces, conseils.. et vos r?actions ! > > > ------------------------------------------------------------------------ > D?couvrez le blog Yahoo! Mail : derni?res > nouveaut?s, astuces, conseils.. et vos r?actions ! > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You should ask questions like this at the selinux developers mailing list Questions on this list should be specific to Fedora. From dwalsh at redhat.com Mon Aug 20 21:49:45 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Aug 2007 17:49:45 -0400 Subject: cups AVC... In-Reply-To: <1187176122.5000.4.camel@cyberelk.elk> References: <4c4ba1530708141041h64cc0a5fv3ba0773bac188869@mail.gmail.com> <46C2DD43.6000407@redhat.com> <1187176122.5000.4.camel@cyberelk.elk> Message-ID: <46CA0C79.7080003@redhat.com> Tim Waugh wrote: > On Wed, 2007-08-15 at 07:02 -0400, Daniel J Walsh wrote: > >> Any idea why the hp command would want to look at the snmp >> >> path="/usr/share/snmp/mibs/.index" >> >> Or is this a leaked file descriptor from somewhere? >> > > HPLIP, in the form of the CUPS hp backend here, is capable of using SNMP > to determine characteristics of networked printers. > > Tim. > */ > > Thanks Tim, I will add the policy to allow hplib to read. From anebi at iguanait.com Tue Aug 21 13:43:20 2007 From: anebi at iguanait.com (Ali Nebi) Date: Tue, 21 Aug 2007 16:43:20 +0300 Subject: Questions about some selinux audit messages Message-ID: <1187703800.3421.15.camel@hugo.iguanait.com> Hi everyone, i get in all servers these audit messages: Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:356):avc:denied { append } for pid=9416 comm="sendmail" name="error.log" dev=dm-0 ino=16416800 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:357):avc:denied { read write } for pid=9416 comm="sendmail" name="[eventpoll]" dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 21 14:17:34 casamerica kernel: audit(1187698654.599:358):avc:denied { append } for pid=9417 comm="postdrop" name="error_log" dev=dm-0 ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file Aug 21 14:17:34 casamerica kernel: audit(1187698654.603:359):avc:denied { getattr } for pid=9417 comm="postdrop" name="error_log" dev=dm-0 ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:360):avc:denied { append } for pid=9448 comm="sendmail" name="error.log" dev=dm-0 ino=16416800 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:361):avc:denied { read write } for pid=9448 comm="sendmail" name="[eventpoll]" dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 21 14:26:58 casamerica kernel: audit(1187699218.253:362):avc:denied { append } for pid=9449 comm="postdrop" name="error_log" dev=dm-0 ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file Aug 21 14:26:58 casamerica kernel: audit(1187699218.256:363):avc:denied { getattr } for pid=9449 comm="postdrop" name="error_log" dev=dm-0 ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=root:object_r:httpd_log_t:s0 tclass=file Aug 21 15:36:34 w3host kernel: audit(1187703394.426:423): avc:denied { name_connect } for pid=32151 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket so, these are the messages. We have installed Fedora 6, x86_64 My questions are these: 1. Why postdrop try to read, append, get atribute the apache logs. Is can be because we have installed Logwatch program. We get these in all servers. 2. I have to allow postdrop to make what is needed with the logs, this is secure and it will not be problem for something? 3. For the last one, httpd, try to connect to postgresql socket, why this happen and is it secure? 4. I have to give this permission of httpd to connect to postgresql. We have set postgresql to work on localhost and not to execute queries from remote host and sites. I will wait for your opinions, thanks in advanced. Regards, Ali Nebi! From dwalsh at redhat.com Tue Aug 21 15:25:47 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 21 Aug 2007 11:25:47 -0400 Subject: FYI My guide to writing SELinux policy. Message-ID: <46CB03FB.9020108@redhat.com> http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/ From sds at tycho.nsa.gov Tue Aug 21 17:58:02 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 21 Aug 2007 13:58:02 -0400 Subject: SElinux beginner In-Reply-To: <102293.25873.qm@web28112.mail.ukl.yahoo.com> References: <102293.25873.qm@web28112.mail.ukl.yahoo.com> Message-ID: <1187719082.1451.191.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-08-20 at 14:37 +0000, jihene tanneche wrote: > I want to compile selinux under kernel 2.6 independently of the > linux's distribution, because later I will hold selinux to an embedded > system, any help And your question is what? Mainline kernel has selinux support, and that support isn't specific to a distribution. What is specific to a distribution is how you integrate the userland bits and get a policy into place. See http://selinux.sourceforge.net for some useful information. -- Stephen Smalley National Security Agency From pemboa at gmail.com Tue Aug 21 20:55:49 2007 From: pemboa at gmail.com (Arthur Pemberton) Date: Tue, 21 Aug 2007 15:55:49 -0500 Subject: Data access to two daemon Message-ID: <16de708d0708211355x744747ech1cffd5e2da5a2daf@mail.gmail.com> I have a personal server setup with SELinux in targeted mode. I would like to allow rw access over these files to Samba, and ro access to these files to httpd. In my current setup, SELinux requires the security context of the respective daemon to allow access to them. Since I gave Samba access more priority, the current context is: root:object_r:samba_share_t The files are not owned by root, they are currently chowned pembo13:comrades. Please advise on the best method to arrange for the access that I seem to require. Thank you. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) From olivares14031 at yahoo.com Tue Aug 21 22:16:22 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 21 Aug 2007 15:16:22 -0700 (PDT) Subject: several problems after successful update, wine, texlive and selinux Message-ID: <196166.34644.qm@web52611.mail.re2.yahoo.com> Dear all, I have successfully updated the machine I asked help to update for which advice was quickly given and resolved. However, after updating I find the following problems: 1) wine does not work. Is it because of selinux? dmesg does not show this :( [olivares at localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe & [1] 3004 [olivares at localhost ~]$ bash: /usr/bin/wine: Permission denied [1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe [olivares at localhost ~]$ wine --help bash: /usr/bin/wine: Permission denied [olivares at localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe & [1] 3007 [olivares at localhost ~]$ bash: /usr/bin/wine: Permission denied [1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe [olivares at localhost ~]$ rpm -qa wine* wine-capi-0.9.43-2.fc8 wine-twain-0.9.43-2.fc8 wine-nas-0.9.43-2.fc8 wine-jack-0.9.43-2.fc8 wine-0.9.43-2.fc8 wine-cms-0.9.43-2.fc8 wine-tools-0.9.43-2.fc8 wine-core-0.9.43-2.fc8 wine-esd-0.9.43-2.fc8 wine-ldap-0.9.43-2.fc8 2) texlive install was almost successfull all the way except for tetex-xdvi no equivalent texlive package. I am surprised that f8 test 1 still had tetex instead of texlive, but here I installed it using the instructions on the Wiki. [root at localhost Downloads]# yum install texlive texlive-latex Setting up Install Process Parsing package install arguments development 100% |=========================| 2.1 kB 00:00 primary.sqlite.bz2 100% |=========================| 4.2 MB 00:03 texlive 100% |=========================| 951 B 00:00 primary.xml.gz 100% |=========================| 7.2 kB 00:00 texlive : ################################################## 23/23 Resolving Dependencies --> Running transaction check ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated --> Processing Dependency: texlive-texmf = 2007 for package: texlive --> Processing Dependency: libt1.so.5 for package: texlive --> Processing Dependency: libTECkit.so.0 for package: texlive --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive-latex --> Processing Dependency: texlive-dvips = 2007 for package: texlive-latex --> Processing Dependency: texlive-texmf-latex = 2007 for package: texlive-latex --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive --> Processing Dependency: texlive-fonts = 2007-0.10.fc7 for package: texlive --> Processing Dependency: libkpathsea.so.4 for package: texlive --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated --> Processing Dependency: texlive-texmf-fonts >= 2007 for package: texlive-fonts --> Processing Dependency: texlive-texmf-errata-latex = 2007 for package: texlive-texmf-latex --> Processing Dependency: texlive-texmf-common = 2007 for package: texlive-texmf-latex --> Processing Dependency: texlive-texmf-dvips = 2007 for package: texlive-dvips --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated --> Processing Dependency: texlive-texmf-errata-common = 2007-0.9.fc7 for package: texlive-texmf-errata-latex --> Processing Dependency: texlive-texmf-errata-fonts = 2007 for package: texlive-texmf-fonts --> Processing Dependency: texlive-texmf-errata-dvips = 2007 for package: texlive-texmf-dvips --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: texlive i386 2007-0.10.fc7 texlive 5.8 M texlive-latex i386 2007-0.10.fc7 texlive 74 k Installing for dependencies: kpathsea i386 2007-0.10.fc7 texlive 148 k t1lib i386 5.1.1-1.fc8 development 316 k teckit i386 2.2.1-1.fc8 development 322 k texlive-dvips i386 2007-0.10.fc7 texlive 176 k texlive-fonts i386 2007-0.10.fc7 texlive 509 k texlive-texmf noarch 2007-0.10.fc7 texlive 8.2 M texlive-texmf-common noarch 2007-0.10.fc7 texlive 7.4 k texlive-texmf-dvips noarch 2007-0.10.fc7 texlive 826 k texlive-texmf-errata noarch 2007-0.9.fc7 texlive 3.3 k texlive-texmf-errata-common noarch 2007-0.9.fc7 texlive 3.4 k texlive-texmf-errata-dvips noarch 2007-0.9.fc7 texlive 3.3 k texlive-texmf-errata-fonts noarch 2007-0.9.fc7 texlive 3.2 k texlive-texmf-errata-latex noarch 2007-0.9.fc7 texlive 3.3 k texlive-texmf-fonts noarch 2007-0.10.fc7 texlive 55 M texlive-texmf-latex noarch 2007-0.10.fc7 texlive 3.1 M Transaction Summary ============================================================================= Install 17 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 74 M Is this ok [y/N]: y Downloading Packages: (1/17): kpathsea-2007-0.1 100% |=========================| 148 kB 00:00 (2/17): teckit-2.2.1-1.fc 100% |=========================| 322 kB 00:00 (3/17): texlive-texmf-dvi 100% |=========================| 826 kB 00:00 (4/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00 (5/17): t1lib-5.1.1-1.fc8 100% |=========================| 316 kB 00:00 (6/17): texlive-texmf-com 100% |=========================| 7.4 kB 00:00 (7/17): texlive-texmf-200 100% |=========================| 8.2 MB 00:05 (8/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00 (9/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00 (10/17): texlive-latex-20 100% |=========================| 74 kB 00:00 (11/17): texlive-texmf-fo 100% |=========================| 55 MB 00:37 (12/17): texlive-texmf-er 100% |=========================| 3.2 kB 00:00 (13/17): texlive-2007-0.1 100% |=========================| 5.8 MB 00:04 (14/17): texlive-dvips-20 100% |=========================| 176 kB 00:00 (15/17): texlive-fonts-20 100% |=========================| 509 kB 00:00 (16/17): texlive-texmf-er 100% |=========================| 3.4 kB 00:00 (17/17): texlive-texmf-la 100% |=========================| 3.1 MB 00:02 Running rpm_check_debug --> Populating transaction set with selected packages. Please wait. ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated ERROR with rpm_check_debug vs depsolve: Package tetex-xdvi needs tetex-dvips = 3.0, this is not available. Complete! and selinux is causing too much trouble. Here's an example: Sorry for all the text in the selinux alert. Summary SELinux is preventing /usr/lib/firefox-2.0.0.6/firefox-bin from making the program stack executable. Detailed Description The /usr/lib/firefox-2.0.0.6/firefox-bin application attempted to make the its stack executable. This is a potential security problem. This should never ever be necessary. stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If /usr/lib/firefox-2.0.0.6 /firefox-bin does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flack back on with execstac -s LIBRARY_PATH. Otherwise, if you trust /usr/lib/firefox-2.0.0.6/firefox-bin to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin" The following command will allow this access: chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin Additional Information Source Context system_u:system_r:unconfined_t Target Context system_u:system_r:unconfined_t Target Objects None [ process ] Affected RPM Packages firefox-2.0.0.6-3.fc8 [application] Policy RPM selinux-policy-3.0.5-8.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execstack Host Name localhost Platform Linux localhost 2.6.23-0.115.rc3.git1.fc8 #1 SMP Fri Aug 17 20:58:14 EDT 2007 i686 athlon Alert Count 6 First Seen Tue 21 Aug 2007 04:17:07 PM CDT Last Seen Tue 21 Aug 2007 04:54:17 PM CDT Local ID bbd222d8-abbe-4dd8-b54b-46c7d29b434c Line Numbers Raw Audit Messages avc: denied { execstack } for comm="firefox-bin" egid=500 euid=500 exe="/usr/lib/firefox-2.0.0.6/firefox-bin" exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=3011 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 SELinux is preventing /usr/sbin/hald (hald_t) "read" to reload (var_lib_t). SELinux prevented /usr/sbin/ntpd from using the terminal 0 avc: denied { read, write } for comm="ntpd" dev=devpts egid=0 euid=0 exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="0" pid=17348 scontext=user_u:system_r:ntpd_t:s0 sgid=0 subj=user_u:system_r:ntpd_t:s0 suid=0 tclass=chr_file tcontext=user_u:object_r:devpts_t:s0 tty=(none) uid=0 SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "create" to (unlabeled_t). SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "append" to /var/log/cups/error_log (cupsd_log_t). SELinux prevented /sbin/rpc.statd from using the terminal /dev/pts/0. ......, there are a bunch of them. sorry for not posting them. dmesg does not show any of these when running dmesg from the terminal. see http://www.geocities.com/olivares14031//20070821164505-dmesg.htm for details. Will do an # touch /.autorelabel # reboot and hope that it cures many of these issues. Regards, Antonio ____________________________________________________________________________________ Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 From olivares14031 at yahoo.com Tue Aug 21 23:48:51 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 21 Aug 2007 16:48:51 -0700 (PDT) Subject: too many selinux alerts, after touch ./ autorelabel reboot Message-ID: <333953.82549.qm@web52604.mail.re2.yahoo.com> Dear all, selinux on rawhide is cranking out many denials. . These do not show up on dmesg. What is happening? I do not know enough to help myself fix them. Here's one of them Summary SELinux is preventing dhclient-script (dhcpc_t) "getattr" to /sbin/setfiles (setfiles_exec_t). Detailed Description SELinux denied access requested by dhclient-script. It is not expected that this access is required by dhclient-script and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /sbin/setfiles, restorecon -v /sbin/setfiles If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:dhcpc_t Target Context system_u:object_r:setfiles_exec_t Target Objects /sbin/setfiles [ file ] Affected RPM Packages policycoreutils-2.0.19-1.fc8 [target] Policy RPM selinux-policy-2.6.5-2.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Tue 21 Aug 2007 07:41:12 AM CDT Last Seen Tue 21 Aug 2007 07:41:12 AM CDT Local ID 73dc2e0c-fc2c-496f-8f0e-87e72cfd3ce5 Line Numbers Raw Audit Messages avc: denied { getattr } for comm="dhclient-script" dev=dm-0 egid=0 euid=0 exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="setfiles" path="/sbin/setfiles" pid=3563 scontext=user_u:system_r:dhcpc_t:s0 sgid=0 subj=user_u:system_r:dhcpc_t:s0 suid=0 tclass=file tcontext=system_u:object_r:setfiles_exec_t:s0 tty=(none) uid=0 SELinux is preventing /usr/bin/uptime (logwatch_t) "read write" to utmp (initrc_var_run_t). SELinux is preventing /usr/bin/uptime (logwatch_t) "read" to utmp (initrc_var_run_t). SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t). SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to sbin (bin_t). This one is a major one: SELinux prevented /sbin/ldconfig from using the terminal /dev/pts/0. Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1."The following command will allow this access:setsebool -P allow_daemons_use_tty=1 There are some more, but in reality. I cannot understand why they do not show up on a regular dmesg. How can I cure all these selinux denials. This is reminiscent on the installation of Fedora 7, with too many problems with selinux. Sorry to complain, but I need some help. I hope that I am not the only one with these kind of errors. Regards, Antonio ____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz From joe at nall.com Wed Aug 22 00:19:55 2007 From: joe at nall.com (Joe Nall) Date: Tue, 21 Aug 2007 19:19:55 -0500 Subject: F7 mls enforcing failed login and recursive fault Message-ID: <8A64B753-D3D6-4BF8-B728-4474963B44DA@nall.com> I built and fully updated a F7/MLS system today and was unable to login in MLS enforcing from the console or ssh (no X, init level 2 or 3). I rebooted with a clean audit.log in permissive mode, logged in and found two login related denials type=AVC msg=audit(1187740851.272:22): avc: denied { audit_control } for pid=2299 comm="login" capability=30 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tclass=capability and a second dbus related one that I was unable to replicate for this email I created a quick policy to see if I could log in in enforcing mode. policy_module(f7fix,1.0.0) gen_require(` type local_login_t, initrc_t; class dbus send_msg; ') allow local_login_t initrc_t:dbus send_msg; allow local_login_t self:capability audit_control; and got this nasty result Aug 21 18:19:12 f7 kernel: ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068 Aug 21 18:19:12 f7 kernel: Process login (pid: 2310, ti=f7f98000 task=f70de2b0 task.ti=f7f98000) Aug 21 18:19:12 f7 kernel: Stack: c06ab7d9 fffffff3 00000000 c06f27ac fffffff3 fffffff3 00000000 c04ad93d Aug 21 18:19:12 f7 kernel: c06f27a0 f77b8878 c04ad987 f77b8800 f77b8800 f77b8878 c0555fae f7c8df00 Aug 21 18:19:12 f7 kernel: c05509ee f77b8800 f773e938 00000000 00000000 c0550a20 f70aa800 c053660d Aug 21 18:19:12 f7 kernel: Call Trace: Aug 21 18:19:12 f7 kernel: [] remove_files+0x15/0x1e Aug 21 18:19:12 f7 kernel: [] sysfs_remove_group+0x41/0x57 Aug 21 18:19:12 f7 kernel: [] device_pm_remove+0x32/0x70 Aug 21 18:19:12 f7 kernel: [] device_del+0x183/0x1ad Aug 21 18:19:12 f7 kernel: [] device_unregister+0x8/0x10 Aug 21 18:19:12 f7 kernel: [] vcs_remove_sysfs+0x17/0x31 Aug 21 18:19:12 f7 kernel: [] con_close+0x49/0x5b Aug 21 18:19:12 f7 kernel: [] release_dev+0x1df/0x5e3 Aug 21 18:19:12 f7 kernel: [] free_pages_bulk+0x100/0x16e Aug 21 18:19:12 f7 kernel: [] __pagevec_free+0x14/0x1a Aug 21 18:19:12 f7 kernel: [] release_pages+0x10a/0x112 Aug 21 18:19:12 f7 kernel: [] tty_release+0xf/0x18 Aug 21 18:19:12 f7 kernel: [] __fput+0xb4/0x16a Aug 21 18:19:12 f7 kernel: [] filp_close+0x51/0x58 Aug 21 18:19:12 f7 kernel: [] put_files_struct+0x5f/0xa7 Aug 21 18:19:12 f7 kernel: [] do_exit+0x21f/0x6d3 Aug 21 18:19:12 f7 kernel: [] sys_exit_group+0x0/0xd Aug 21 18:19:12 f7 kernel: [] syscall_call+0x7/0xb Aug 21 18:19:12 f7 kernel: [] __sched_text_start+0x6e8/0x89e Aug 21 18:19:12 f7 kernel: ======================= Aug 21 18:19:12 f7 kernel: Code: 8b 40 24 8b 40 24 c3 8b 40 14 8b 00 c3 8b 40 14 8b 00 c3 55 57 56 53 83 ec 0c 85 c0 89 44 24 04 89 14 24 0f 84 ed 00 00 00 89 c2 <8b> 40 0c 85 c0 0f 84 e0 00 00 00 8b 52 54 83 c0 74 89 54 24 08 Aug 21 18:19:12 f7 kernel: EIP: [] sysfs_hash_and_remove +0x18/0x110 SS:ESP 0068:f7f98e04 Aug 21 18:19:12 f7 kernel: Fixing recursive fault but reboot is needed! potentially relevant rpm versions kernel-2.6.21-1.3194.fc7 audit-1.5.3-1.fc7 util-linux-2.13-0.52.fc7 checkpolicy-2.0.3-1.fc7 policycoreutils-2.0.16-11.fc7 policycoreutils-gui-2.0.16-11.fc7 policycoreutils-newrole-2.0.16-11.fc7 seedit-policy-2.1.1-2.fc7.2 selinux-policy-2.6.4-33.fc7 selinux-policy-devel-2.6.4-33.fc7 selinux-policy-mls-2.6.4-33.fc7 selinux-policy-targeted-2.6.4-33.fc7 joe From spng.yang at gmail.com Wed Aug 22 07:31:00 2007 From: spng.yang at gmail.com (Ken YANG) Date: Wed, 22 Aug 2007 15:31:00 +0800 Subject: several problems after successful update, wine, texlive and selinux In-Reply-To: <196166.34644.qm@web52611.mail.re2.yahoo.com> References: <196166.34644.qm@web52611.mail.re2.yahoo.com> Message-ID: <46CBE634.4030906@gmail.com> Antonio Olivares wrote: > Dear all, > > I have successfully updated the machine I asked help to update for which advice was quickly given and resolved. However, after updating I find the following problems: > > 1) wine does not work. Is it because of selinux? dmesg does not show this :( > > [olivares at localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe & > [1] 3004 > [olivares at localhost ~]$ bash: /usr/bin/wine: Permission denied > > [1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe > [olivares at localhost ~]$ wine --help > bash: /usr/bin/wine: Permission denied > [olivares at localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe & > [1] 3007 > [olivares at localhost ~]$ bash: /usr/bin/wine: Permission denied > > [1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe > [olivares at localhost ~]$ rpm -qa wine* > wine-capi-0.9.43-2.fc8 > wine-twain-0.9.43-2.fc8 > wine-nas-0.9.43-2.fc8 > wine-jack-0.9.43-2.fc8 > wine-0.9.43-2.fc8 > wine-cms-0.9.43-2.fc8 > wine-tools-0.9.43-2.fc8 > wine-core-0.9.43-2.fc8 > wine-esd-0.9.43-2.fc8 > wine-ldap-0.9.43-2.fc8 does your audit running? if yes, all avc will be there, so are there any messages when your wine denied, except "permission denied" > > > 2) texlive install was almost successfull all the way except for tetex-xdvi no equivalent texlive package. I am surprised that f8 test 1 still had tetex instead of texlive, but here I installed it using the instructions on the Wiki. > > [root at localhost Downloads]# yum install texlive texlive-latex > Setting up Install Process > Parsing package install arguments > development 100% |=========================| 2.1 kB 00:00 > primary.sqlite.bz2 100% |=========================| 4.2 MB 00:03 > texlive 100% |=========================| 951 B 00:00 > primary.xml.gz 100% |=========================| 7.2 kB 00:00 > texlive : ################################################## 23/23 > Resolving Dependencies > --> Running transaction check > ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated > --> Processing Dependency: texlive-texmf = 2007 for package: texlive > --> Processing Dependency: libt1.so.5 for package: texlive > --> Processing Dependency: libTECkit.so.0 for package: texlive > --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive-latex > --> Processing Dependency: texlive-dvips = 2007 for package: texlive-latex > --> Processing Dependency: texlive-texmf-latex = 2007 for package: texlive-latex > --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive > --> Processing Dependency: texlive-fonts = 2007-0.10.fc7 for package: texlive > --> Processing Dependency: libkpathsea.so.4 for package: texlive > --> Restarting Dependency Resolution with new changes. > --> Running transaction check > ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated > ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated > ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated > ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated > --> Processing Dependency: texlive-texmf-fonts >= 2007 for package: texlive-fonts > --> Processing Dependency: texlive-texmf-errata-latex = 2007 for package: texlive-texmf-latex > --> Processing Dependency: texlive-texmf-common = 2007 for package: texlive-texmf-latex > --> Processing Dependency: texlive-texmf-dvips = 2007 for package: texlive-dvips > --> Restarting Dependency Resolution with new changes. > --> Running transaction check > ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated > --> Processing Dependency: texlive-texmf-errata-common = 2007-0.9.fc7 for package: texlive-texmf-errata-latex > --> Processing Dependency: texlive-texmf-errata-fonts = 2007 for package: texlive-texmf-fonts > --> Processing Dependency: texlive-texmf-errata-dvips = 2007 for package: texlive-texmf-dvips > --> Restarting Dependency Resolution with new changes. > --> Running transaction check > ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated > > Dependencies Resolved > > ============================================================================= > Package Arch Version Repository Size > ============================================================================= > Installing: > texlive i386 2007-0.10.fc7 texlive 5.8 M > texlive-latex i386 2007-0.10.fc7 texlive 74 k > Installing for dependencies: > kpathsea i386 2007-0.10.fc7 texlive 148 k > t1lib i386 5.1.1-1.fc8 development 316 k > teckit i386 2.2.1-1.fc8 development 322 k > texlive-dvips i386 2007-0.10.fc7 texlive 176 k > texlive-fonts i386 2007-0.10.fc7 texlive 509 k > texlive-texmf noarch 2007-0.10.fc7 texlive 8.2 M > texlive-texmf-common noarch 2007-0.10.fc7 texlive 7.4 k > texlive-texmf-dvips noarch 2007-0.10.fc7 texlive 826 k > texlive-texmf-errata noarch 2007-0.9.fc7 texlive 3.3 k > texlive-texmf-errata-common noarch 2007-0.9.fc7 texlive 3.4 k > texlive-texmf-errata-dvips noarch 2007-0.9.fc7 texlive 3.3 k > texlive-texmf-errata-fonts noarch 2007-0.9.fc7 texlive 3.2 k > texlive-texmf-errata-latex noarch 2007-0.9.fc7 texlive 3.3 k > texlive-texmf-fonts noarch 2007-0.10.fc7 texlive 55 M > texlive-texmf-latex noarch 2007-0.10.fc7 texlive 3.1 M > > Transaction Summary > ============================================================================= > Install 17 Package(s) > Update 0 Package(s) > Remove 0 Package(s) > > Total download size: 74 M > Is this ok [y/N]: y > Downloading Packages: > (1/17): kpathsea-2007-0.1 100% |=========================| 148 kB 00:00 > (2/17): teckit-2.2.1-1.fc 100% |=========================| 322 kB 00:00 > (3/17): texlive-texmf-dvi 100% |=========================| 826 kB 00:00 > (4/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00 > (5/17): t1lib-5.1.1-1.fc8 100% |=========================| 316 kB 00:00 > (6/17): texlive-texmf-com 100% |=========================| 7.4 kB 00:00 > (7/17): texlive-texmf-200 100% |=========================| 8.2 MB 00:05 > (8/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00 > (9/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00 > (10/17): texlive-latex-20 100% |=========================| 74 kB 00:00 > (11/17): texlive-texmf-fo 100% |=========================| 55 MB 00:37 > (12/17): texlive-texmf-er 100% |=========================| 3.2 kB 00:00 > (13/17): texlive-2007-0.1 100% |=========================| 5.8 MB 00:04 > (14/17): texlive-dvips-20 100% |=========================| 176 kB 00:00 > (15/17): texlive-fonts-20 100% |=========================| 509 kB 00:00 > (16/17): texlive-texmf-er 100% |=========================| 3.4 kB 00:00 > (17/17): texlive-texmf-la 100% |=========================| 3.1 MB 00:02 > Running rpm_check_debug > --> Populating transaction set with selected packages. Please wait. > ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated > ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated > ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated > ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated > ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated > ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated > ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated > ERROR with rpm_check_debug vs depsolve: > Package tetex-xdvi needs tetex-dvips = 3.0, this is not available. > Complete! > > > and selinux is causing too much trouble. Here's an example: Sorry for all the text in the selinux alert. > > Summary > SELinux is preventing /usr/lib/firefox-2.0.0.6/firefox-bin from making the > program stack executable. > > Detailed Description > The /usr/lib/firefox-2.0.0.6/firefox-bin application attempted to make the > its stack executable. This is a potential security problem. This should > never ever be necessary. stack memory is not executable on most OSes these > days and this will not change. Executable stack memory is one of the biggest > security problems. An execstack error might in fact be most likely raised by > malicious code. Applications are sometimes coded incorrectly and request > this permission. The http://people.redhat.com/drepper/selinux-mem.html web > page explains how to remove this requirement. If /usr/lib/firefox-2.0.0.6 > /firefox-bin does not work and you need it to work, you can configure > SELinux temporarily to allow this access until the application is fixed. > Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this > package. > > Allowing Access > Sometimes a library is accidentally marked with the execstack flag, if you > find a library with this flag you can clear it with the execstack -c > LIBRARY_PATH. Then retry your application. If the app continues to not > work, you can turn the flack back on with execstac -s LIBRARY_PATH. > Otherwise, if you trust /usr/lib/firefox-2.0.0.6/firefox-bin to run > correctly, you can change the context of the executable to > unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t > /usr/lib/firefox-2.0.0.6/firefox-bin" You must also change the default file > context files on the system in order to preserve them even on a full > relabel. "semanage fcontext -a -t unconfined_execmem_exec_t > /usr/lib/firefox-2.0.0.6/firefox-bin" > > The following command will allow this access: > chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin > > Additional Information > > Source Context system_u:system_r:unconfined_t > Target Context system_u:system_r:unconfined_t > Target Objects None [ process ] > Affected RPM Packages firefox-2.0.0.6-3.fc8 [application] > Policy RPM selinux-policy-3.0.5-8.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.allow_execstack > Host Name localhost > Platform Linux localhost 2.6.23-0.115.rc3.git1.fc8 #1 SMP > Fri Aug 17 20:58:14 EDT 2007 i686 athlon > Alert Count 6 > First Seen Tue 21 Aug 2007 04:17:07 PM CDT > Last Seen Tue 21 Aug 2007 04:54:17 PM CDT > Local ID bbd222d8-abbe-4dd8-b54b-46c7d29b434c > Line Numbers > > Raw Audit Messages > > avc: denied { execstack } for comm="firefox-bin" egid=500 euid=500 > exe="/usr/lib/firefox-2.0.0.6/firefox-bin" exit=-13 fsgid=500 fsuid=500 gid=500 > items=0 pid=3011 scontext=system_u:system_r:unconfined_t:s0 sgid=500 > subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process > tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 this is not the problem of selinux, but the problem of firefox. as you see, firefox need stack executable, if you trust firefox, you can enable firefox following the guide of sealert. > > SELinux is preventing /usr/sbin/hald (hald_t) "read" to reload (var_lib_t). > SELinux prevented /usr/sbin/ntpd from using the terminal 0 selinux by default prevents confined daemon from talking to the terminal. This is actually considered a security feature. you would not want to compromised daemon to prompt you for a login/passwd. Most daemon that are coded correctly will shortly after startup, close the open file descriptors before going into daemon mode. So in this case, SELinux is a second line of defense. if you trust all your confined daemons, you can use following com to enable your daemon to talk to the tty: setsebool -P allow_daemons_use_tty=1 BTW, for http, there is specific boolean: httpd_tty_comm > > avc: denied { read, write } for comm="ntpd" dev=devpts egid=0 euid=0 exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="0" pid=17348 scontext=user_u:system_r:ntpd_t:s0 sgid=0 subj=user_u:system_r:ntpd_t:s0 suid=0 tclass=chr_file tcontext=user_u:object_r:devpts_t:s0 tty=(none) uid=0 > > > SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "create" to (unlabeled_t). > SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "append" to /var/log/cups/error_log (cupsd_log_t). > SELinux prevented /sbin/rpc.statd from using the terminal /dev/pts/0. > ......, there are a bunch of them. sorry for not posting them. > > dmesg does not show any of these when running dmesg from the terminal. > see > http://www.geocities.com/olivares14031//20070821164505-dmesg.htm > for details. Will do an > > # touch /.autorelabel > # reboot > > and hope that it cures many of these issues. > > Regards, > > Antonio > > > > > ____________________________________________________________________________________ > Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From paul at city-fan.org Wed Aug 22 08:35:39 2007 From: paul at city-fan.org (Paul Howarth) Date: Wed, 22 Aug 2007 09:35:39 +0100 Subject: Data access to two daemon In-Reply-To: <16de708d0708211355x744747ech1cffd5e2da5a2daf@mail.gmail.com> References: <16de708d0708211355x744747ech1cffd5e2da5a2daf@mail.gmail.com> Message-ID: <46CBF55B.5060008@city-fan.org> Arthur Pemberton wrote: > I have a personal server setup with SELinux in targeted mode. > > I would like to allow rw access over these files to Samba, and ro > access to these files to httpd. > > In my current setup, SELinux requires the security context of the > respective daemon to allow access to them. > > Since I gave Samba access more priority, the current context is: > root:object_r:samba_share_t > > The files are not owned by root, they are currently chowned pembo13:comrades. > > Please advise on the best method to arrange for the access that I seem > to require. Use context type public_content_rw_t, and set the boolean allow_smbd_anon_write to 1. Paul. From sds at tycho.nsa.gov Wed Aug 22 11:57:40 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 22 Aug 2007 07:57:40 -0400 Subject: F7 mls enforcing failed login and recursive fault In-Reply-To: <8A64B753-D3D6-4BF8-B728-4474963B44DA@nall.com> References: <8A64B753-D3D6-4BF8-B728-4474963B44DA@nall.com> Message-ID: <1187783860.1451.239.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-08-21 at 19:19 -0500, Joe Nall wrote: > I built and fully updated a F7/MLS system today and was unable to > login in MLS enforcing from the console or ssh (no X, init level 2 or > 3). I rebooted with a clean audit.log in permissive mode, logged in > and found two login related denials > > type=AVC msg=audit(1187740851.272:22): avc: denied > { audit_control } for pid=2299 comm="login" capability=30 > scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 > tclass=capability Hmmm...why does the Fedora policy differ from refpolicy in its audit-related permissions and interfaces? > and a second dbus related one that I was unable to replicate for this > email > > I created a quick policy to see if I could log in in enforcing mode. > > policy_module(f7fix,1.0.0) > > gen_require(` > type local_login_t, initrc_t; > class dbus send_msg; > ') > > allow local_login_t initrc_t:dbus send_msg; > allow local_login_t self:capability audit_control; Should really be using a refpolicy interface if one exists to grant these kinds of permissions. Sadly, audit2allow -R doesn't seem to turn anything up here for the avc above. > and got this nasty result > > Aug 21 18:19:12 f7 kernel: ds: 007b es: 007b fs: 00d8 gs: 0000 > ss: 0068 > Aug 21 18:19:12 f7 kernel: Process login (pid: 2310, ti=f7f98000 > task=f70de2b0 task.ti=f7f98000) > Aug 21 18:19:12 f7 kernel: Stack: c06ab7d9 fffffff3 00000000 c06f27ac > fffffff3 fffffff3 00000000 c04ad93d > Aug 21 18:19:12 f7 kernel: c06f27a0 f77b8878 c04ad987 f77b8800 > f77b8800 f77b8878 c0555fae f7c8df00 > Aug 21 18:19:12 f7 kernel: c05509ee f77b8800 f773e938 00000000 > 00000000 c0550a20 f70aa800 c053660d > Aug 21 18:19:12 f7 kernel: Call Trace: > Aug 21 18:19:12 f7 kernel: [] remove_files+0x15/0x1e > Aug 21 18:19:12 f7 kernel: [] sysfs_remove_group+0x41/0x57 > Aug 21 18:19:12 f7 kernel: [] device_pm_remove+0x32/0x70 > Aug 21 18:19:12 f7 kernel: [] device_del+0x183/0x1ad > Aug 21 18:19:12 f7 kernel: [] device_unregister+0x8/0x10 > Aug 21 18:19:12 f7 kernel: [] vcs_remove_sysfs+0x17/0x31 > Aug 21 18:19:12 f7 kernel: [] con_close+0x49/0x5b > Aug 21 18:19:12 f7 kernel: [] release_dev+0x1df/0x5e3 > Aug 21 18:19:12 f7 kernel: [] free_pages_bulk+0x100/0x16e > Aug 21 18:19:12 f7 kernel: [] __pagevec_free+0x14/0x1a > Aug 21 18:19:12 f7 kernel: [] release_pages+0x10a/0x112 > Aug 21 18:19:12 f7 kernel: [] tty_release+0xf/0x18 > Aug 21 18:19:12 f7 kernel: [] __fput+0xb4/0x16a > Aug 21 18:19:12 f7 kernel: [] filp_close+0x51/0x58 > Aug 21 18:19:12 f7 kernel: [] put_files_struct+0x5f/0xa7 > Aug 21 18:19:12 f7 kernel: [] do_exit+0x21f/0x6d3 > Aug 21 18:19:12 f7 kernel: [] sys_exit_group+0x0/0xd > Aug 21 18:19:12 f7 kernel: [] syscall_call+0x7/0xb > Aug 21 18:19:12 f7 kernel: [] __sched_text_start+0x6e8/0x89e > Aug 21 18:19:12 f7 kernel: ======================= > Aug 21 18:19:12 f7 kernel: Code: 8b 40 24 8b 40 24 c3 8b 40 14 8b 00 > c3 8b 40 14 8b 00 c3 55 57 56 53 83 ec 0c 85 c0 89 44 24 04 89 14 24 > 0f 84 ed 00 00 00 89 c2 <8b> 40 0c 85 c0 0f 84 e0 00 00 00 8b 52 54 > 83 c0 74 89 54 24 08 > Aug 21 18:19:12 f7 kernel: EIP: [] sysfs_hash_and_remove > +0x18/0x110 SS:ESP 0068:f7f98e04 > Aug 21 18:19:12 f7 kernel: Fixing recursive fault but reboot is needed! That should have shown up as a denial on sysfs_t unless it was dontaudit'd. sysfs code had a bug where it wasn't checking for failure on a lookup, triggerable upon SELinux permission denial. Already fixed in the mainline kernel as of 2.6.23-rc1 and later I believe. > > potentially relevant rpm versions > > kernel-2.6.21-1.3194.fc7 > audit-1.5.3-1.fc7 > util-linux-2.13-0.52.fc7 > checkpolicy-2.0.3-1.fc7 > policycoreutils-2.0.16-11.fc7 > policycoreutils-gui-2.0.16-11.fc7 > policycoreutils-newrole-2.0.16-11.fc7 > seedit-policy-2.1.1-2.fc7.2 > selinux-policy-2.6.4-33.fc7 > selinux-policy-devel-2.6.4-33.fc7 > selinux-policy-mls-2.6.4-33.fc7 > selinux-policy-targeted-2.6.4-33.fc7 > > joe > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Aug 22 12:50:38 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 22 Aug 2007 08:50:38 -0400 Subject: Data access to two daemon In-Reply-To: <16de708d0708211355x744747ech1cffd5e2da5a2daf@mail.gmail.com> References: <16de708d0708211355x744747ech1cffd5e2da5a2daf@mail.gmail.com> Message-ID: <1187787038.1451.284.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-08-21 at 15:55 -0500, Arthur Pemberton wrote: > I have a personal server setup with SELinux in targeted mode. > > I would like to allow rw access over these files to Samba, and ro > access to these files to httpd. > > In my current setup, SELinux requires the security context of the > respective daemon to allow access to them. > > Since I gave Samba access more priority, the current context is: > root:object_r:samba_share_t > > The files are not owned by root, they are currently chowned pembo13:comrades. > > Please advise on the best method to arrange for the access that I seem > to require. man samba_selinux seems to suggest using public_content_rw_t on the file and setting the allow_smbd_anon_write boolean. -- Stephen Smalley National Security Agency From fedora01 at grifent.com Wed Aug 22 16:42:00 2007 From: fedora01 at grifent.com (John Griffiths) Date: Wed, 22 Aug 2007 12:42:00 -0400 Subject: Data access to two daemon In-Reply-To: <20070822160010.74F7A73136@hormel.redhat.com> References: <20070822160010.74F7A73136@hormel.redhat.com> Message-ID: <46CC6758.2020609@grifent.com> An HTML attachment was scrubbed... URL: From aleksander.adamowski at altkom.pl Thu Aug 23 10:01:39 2007 From: aleksander.adamowski at altkom.pl (Aleksander Adamowski) Date: Thu, 23 Aug 2007 12:01:39 +0200 Subject: A tool to generate missing requires for a SELinux module? Message-ID: <46CD5B03.8030303@altkom.pl> Hi! I often find myself in a need for a tool that would scan a module's .te file and generate the missing requires. It should determine all the missing requires, for which there are rules in that module, in one pass, and present either the missing requires only, or the full contents of the require {} section (in the second case, it could merge the missing class permissions with any existing permissions for given pre-existing classes). I know that I can use audit2allow to generate the requires for me with -r switch, but it has 3 shortcomings: 1. It dumbly generates requires for all the classes/types/attributes it sees - and since it doesn't know anything about intended module where the rules will go to, it will probably generate requires for types/attributes that are defined in that module. Such require output, when blindly pasted into module's source, will generate duplicate definition errors. 2. It knows nothing about preexisting requires in the target module, so it will spit out all of them and one has to remove duplicates by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq") 3. It won't help me if I write some rules by hand, not based on AVC messages. I think the problem is widespread enough that someone could have written a tool for that already - I'd like to know about that before I start writing one myself :) -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 kom. 0-601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From dwalsh at redhat.com Thu Aug 23 13:42:48 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 23 Aug 2007 09:42:48 -0400 Subject: Questions about some selinux audit messages In-Reply-To: <1187703800.3421.15.camel@hugo.iguanait.com> References: <1187703800.3421.15.camel@hugo.iguanait.com> Message-ID: <46CD8ED8.2030105@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ali Nebi wrote: > Hi everyone, > > i get in all servers these audit messages: > > Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:356):avc:denied > { append } for pid=9416 comm="sendmail" name="error.log" dev=dm-0 > ino=16416800 scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file > > Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:357):avc:denied > { read write } for pid=9416 comm="sendmail" name="[eventpoll]" > dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=file > > Aug 21 14:17:34 casamerica kernel: audit(1187698654.599:358):avc:denied > { append } for pid=9417 comm="postdrop" name="error_log" dev=dm-0 > ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 > tcontext=root:object_r:httpd_log_t:s0 tclass=file > > Aug 21 14:17:34 casamerica kernel: audit(1187698654.603:359):avc:denied > { getattr } for pid=9417 comm="postdrop" name="error_log" dev=dm-0 > ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 > tcontext=root:object_r:httpd_log_t:s0 tclass=file > > Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:360):avc:denied > { append } for pid=9448 comm="sendmail" name="error.log" dev=dm-0 > ino=16416800 scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file > > Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:361):avc:denied > { read write } for pid=9448 comm="sendmail" name="[eventpoll]" > dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=file > > Aug 21 14:26:58 casamerica kernel: audit(1187699218.253:362):avc:denied > { append } for pid=9449 comm="postdrop" name="error_log" dev=dm-0 > ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 > tcontext=root:object_r:httpd_log_t:s0 tclass=file > > Aug 21 14:26:58 casamerica kernel: audit(1187699218.256:363):avc:denied > { getattr } for pid=9449 comm="postdrop" name="error_log" dev=dm-0 > ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0 > tcontext=root:object_r:httpd_log_t:s0 tclass=file > > Aug 21 15:36:34 w3host kernel: audit(1187703394.426:423): avc:denied > { name_connect } for pid=32151 comm="httpd" dest=5432 > scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket > > so, these are the messages. > > We have installed Fedora 6, x86_64 > My questions are these: > > 1. Why postdrop try to read, append, get atribute the apache logs. Is > can be because we have installed Logwatch program. We get these in all > servers. This probably means the logwatch program is leaking file descriptors when executing postfix. Logwatch has an open file descriptor to the error.log file with append access. When it executes postfix, it does not automatically close the file descriptor, so SELinux checks the access to the open file descriptor when starting postfix, denies it, closes it, reports the avc and continues executing the program. > > 2. I have to allow postdrop to make what is needed with the logs, this > is secure and it will not be problem for something? > No you probably want to dontaudit this, and get logwatch developers to fix their code. > 3. For the last one, httpd, try to connect to postgresql socket, why > this happen and is it secure? > > 4. I have to give this permission of httpd to connect to postgresql. > > We have set postgresql to work on localhost and not to execute queries > from remote host and sites. There is a boolean for this. httpd_can_network_connect_db setsebool -P httpd_can_network_connect_db=1 > > I will wait for your opinions, thanks in advanced. > > Regards, Ali Nebi! > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGzY7XrlYvE4MpobMRAiFUAJ0RRYY/ND5RqWBCG0CSh8lO6ejiXQCdElyZ S0H0qGQW/jT7SY5LBKYaRMI= =+nx1 -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Aug 23 13:45:30 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 23 Aug 2007 09:45:30 -0400 Subject: several problems after successful update, wine, texlive and selinux In-Reply-To: <46CBE634.4030906@gmail.com> References: <196166.34644.qm@web52611.mail.re2.yahoo.com> <46CBE634.4030906@gmail.com> Message-ID: <46CD8F7A.4030608@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken YANG wrote: > Antonio Olivares wrote: >> Dear all, >> >> I have successfully updated the machine I asked help to update for which advice was quickly given and resolved. However, after updating I find the following problems: >> >> 1) wine does not work. Is it because of selinux? dmesg does not show this :( >> >> [olivares at localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe & >> [1] 3004 >> [olivares at localhost ~]$ bash: /usr/bin/wine: Permission denied >> >> [1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe >> [olivares at localhost ~]$ wine --help Most likely wine or one of its libraries is labeled incorrectly. Look in /var/log/audit/audit.log for avc messages. Wine requires execmem and execstack privs, and all of its libraries should be labeled with textrel_shlib_t. If you send us the AVC messages we could help you diagnose the problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGzY96rlYvE4MpobMRAsP5AJ9GhaGztwG325UEqSNY/mhN2CHITACfbD7i OO3rhbgpEEgO56WhLhQJddo= =PBoZ -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Aug 23 13:48:19 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 23 Aug 2007 09:48:19 -0400 Subject: too many selinux alerts, after touch ./ autorelabel reboot In-Reply-To: <333953.82549.qm@web52604.mail.re2.yahoo.com> References: <333953.82549.qm@web52604.mail.re2.yahoo.com> Message-ID: <46CD9023.8000707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > selinux on rawhide is cranking out many denials. . These do not show up on dmesg. What is happening? I do not know enough to help myself fix them. > > Here's one of them > > Summary > SELinux is preventing dhclient-script (dhcpc_t) "getattr" to /sbin/setfiles > (setfiles_exec_t). > > Detailed Description > SELinux denied access requested by dhclient-script. It is not expected that > this access is required by dhclient-script and this access may signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /sbin/setfiles, restorecon -v > /sbin/setfiles If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context user_u:system_r:dhcpc_t > Target Context system_u:object_r:setfiles_exec_t > Target Objects /sbin/setfiles [ file ] > Affected RPM Packages policycoreutils-2.0.19-1.fc8 [target] > Policy RPM selinux-policy-2.6.5-2.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name localhost > Platform Linux localhost 2.6.21-1.3194.fc7 #1 SMP Wed May > 23 22:35:01 EDT 2007 i686 athlon > Alert Count 1 > First Seen Tue 21 Aug 2007 07:41:12 AM CDT > Last Seen Tue 21 Aug 2007 07:41:12 AM CDT > Local ID 73dc2e0c-fc2c-496f-8f0e-87e72cfd3ce5 > Line Numbers > > Raw Audit Messages > > avc: denied { getattr } for comm="dhclient-script" dev=dm-0 egid=0 euid=0 > exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="setfiles" > path="/sbin/setfiles" pid=3563 scontext=user_u:system_r:dhcpc_t:s0 sgid=0 > subj=user_u:system_r:dhcpc_t:s0 suid=0 tclass=file > tcontext=system_u:object_r:setfiles_exec_t:s0 tty=(none) uid=0 > > > SELinux is preventing /usr/bin/uptime (logwatch_t) "read write" to utmp (initrc_var_run_t). > SELinux is preventing /usr/bin/uptime (logwatch_t) "read" to utmp (initrc_var_run_t). > SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t). > SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to sbin (bin_t). > > This one is a major one: > SELinux prevented /sbin/ldconfig from using the terminal /dev/pts/0. > > Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1."The following command will allow this access:setsebool -P allow_daemons_use_tty=1 > > > There are some more, but in reality. I cannot understand why they do not show up on a regular dmesg. How can I cure all these selinux denials. This is reminiscent on the installation of Fedora 7, with too many problems with selinux. > The audit subsystem intercepts this kind of message and places them in /var/log/audit/audit.log You are running a really old version of selinux policy for fc8. YOu should probably yum update. > Sorry to complain, but I need some help. I hope that I am not the only one with these kind of errors. > > Regards, > > Antonio > > > > > ____________________________________________________________________________________ > Luggage? GPS? Comic books? > Check out fitting gifts for grads at Yahoo! Search > http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGzZAjrlYvE4MpobMRAnEQAJ9snXlhgfBHaHt7MMm2V458pDmpTgCgyZG4 BaPhZY6u+RMxCjvniithjJk= =mRsl -----END PGP SIGNATURE----- From selinux at gmail.com Thu Aug 23 15:21:32 2007 From: selinux at gmail.com (Tom London) Date: Thu, 23 Aug 2007 08:21:32 -0700 Subject: gnome-keyring-daemon and ~/keyrings Message-ID: <4c4ba1530708230821jfd16cb0x50d41965131839ff@mail.gmail.com> Running latest Rawhide, targeted enforcing. Notice this: type=AVC msg=audit(1187879289.771:16): avc: denied { write } for pid=3165 comm="gnome-keyring-d" name="keyrings" dev=dm-0 ino=131089 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_gnome_home_t:s0 tclass=dir type=SYSCALL msg=audit(1187879289.771:16): arch=40000003 syscall=5 success=no exit=-13 a0=9c7ea68 a1=80c2 a2=180 a3=80c2 items=0 ppid=1 pid=3165 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-keyring-d" exe="/usr/bin/gnome-keyring-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) But 'ps agxZ | grep key' shows: [root at localhost lib]# ps agxZ | grep key system_u:system_r:unconfined_t 3150 ? S 0:00 /usr/bin/gnome-keyring-daemon system_u:system_r:unconfined_t 3971 pts/0 S+ 0:00 grep key [root at localhost lib]# pid in AVC says '3165', not 3150, so ..... What could this be? Leaked fd? tom -- Tom London From selinux at gmail.com Thu Aug 23 15:23:38 2007 From: selinux at gmail.com (Tom London) Date: Thu, 23 Aug 2007 08:23:38 -0700 Subject: mixer_applet2 and execmod ?! Message-ID: <4c4ba1530708230823h65d96405r109dc69489ce74a3@mail.gmail.com> Running latest Rawhide, targeted/enforcing. This just started (at least, I didn't notice this before): type=AVC msg=audit(1187881774.893:26): avc: denied { execmod } for pid=3407 comm="mixer_applet2" path="/usr/lib/libtheora.so.0.2.0" dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1187881774.893:26): arch=40000003 syscall=125 success=no exit=-13 a0=e87000 a1=48000 a2=5 a3=bf8f9200 items=0 ppid=3395 pid=3407 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2" exe="/usr/libexec/mixer_applet2" subj=system_u:system_r:unconfined_t:s0 key=(null) tom -- Tom London From tibbs at math.uh.edu Thu Aug 23 15:33:15 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 23 Aug 2007 10:33:15 -0500 Subject: sendmail->nscd log noise? Message-ID: These keep appearing in my logs and logwatch spams me about it daily. Does it actually indicate any type of problem? If not, I guess this merits a ticket against logwatch. audit(1187812814.448:127): user pid=2725 uid=28 auid=4294967295 subj=system_u:system_r:nscd_t:s0 msg='avc: granted null for scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=nscd - J< From ballard at stanford.edu Thu Aug 23 18:19:15 2007 From: ballard at stanford.edu (Barry Allard) Date: Thu, 23 Aug 2007 11:19:15 -0700 Subject: rhel selinux question Message-ID: <020001c7e5b2$1d6d24e0$1c2141ab@stanford.edu> If someone would be so kind to answer a noob question. When installing an apache authentication extension called WebAuth (3.5.4), it works great with selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), bam, cant read/write the necessary files. To selinux, perhaps it looks like rogue code trying to modify configuration files. Files: /etc/httpd/conf/webauth/keytab /etc/httpd/conf/webauth/keyring /etc/httpd/conf/webauth/service_token_cache Messages: audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=dir audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" name="service_token_cache" dev=dm-0 ino=66426 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 tclass=file audit2allow says "allow httpd_t httpd_config_t:dir write; allow httpd_t httpd_config_t:file write; allow httpd_t user_home_t:file read;" but this seems arbitrarily permissive. What would give only access read/write access these three files? Sorry if this is off-topic. Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ not much help. Kind Regards, Barry Allard Systems Administrator Stanford Medical Informatics +1.650.723.7270 -------------- next part -------------- An HTML attachment was scrubbed... URL: From wart at kobold.org Fri Aug 24 01:30:26 2007 From: wart at kobold.org (Wart) Date: Thu, 23 Aug 2007 18:30:26 -0700 Subject: ps not showing contexts? Message-ID: <46CE34B2.3020405@kobold.org> After a month's worth of rawhide updates, I noticed that ps is no longer reporting the contexts for processes: [root at localhost audit]# selinuxenabled && echo $? 0 [root at localhost audit]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.0.5-11.fc8 [root at localhost ~]# ps auwxZ | tail - gdm 2422 0.2 5.7 80604 29540 ? Ss 21:58 0:03 /usr/libexec/gdmgreeter --gtk-module=gail:atk-bridge:/usr/lib/gtk-2.0/modules/libkeymouselistener - gdm 2424 0.4 0.7 13272 3956 ? S 21:58 0:05 /usr/libexec/at-spi-registryd - gdm 2426 0.0 0.5 38748 2700 ? Ssl 21:58 0:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output-fd=13 Any ideas what may have caused this to stop working? --Wart From spng.yang at gmail.com Fri Aug 24 09:04:44 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 24 Aug 2007 17:04:44 +0800 Subject: rhel selinux question In-Reply-To: <020001c7e5b2$1d6d24e0$1c2141ab@stanford.edu> References: <020001c7e5b2$1d6d24e0$1c2141ab@stanford.edu> Message-ID: <46CE9F2C.2070509@gmail.com> Barry Allard wrote: > If someone would be so kind to answer a noob question. When installing an > apache authentication extension called WebAuth (3.5.4), it works great with > selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), > bam, cant read/write the necessary files. To selinux, perhaps it looks like > rogue code trying to modify configuration files. > > > > Files: > > /etc/httpd/conf/webauth/keytab > > /etc/httpd/conf/webauth/keyring > > /etc/httpd/conf/webauth/service_token_cache > > > > Messages: > > audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" > name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 > tcontext=root:object_r:httpd_config_t:s0 tclass=dir > > audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" > name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 > tcontext=root:object_r:user_home_t:s0 tclass=file > > audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" > name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 > tcontext=root:object_r:user_home_t:s0 tclass=file > > audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" > name="service_token_cache" dev=dm-0 ino=66426 > scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 > tclass=file > > > > audit2allow says > > "allow httpd_t httpd_config_t:dir write; > > allow httpd_t httpd_config_t:file write; > > allow httpd_t user_home_t:file read;" > > but this seems arbitrarily permissive. > > > > What would give only access read/write access these three files? Sorry if > this is off-topic. if you only want to permit to access these three files, you can define specific type about these files, e.g. webauth_config_t, and associate these types with corresponding files in ".fc" file. after installing your own module, you restorecon the label of your files, then this policy module will give access only to these files > > > > Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ > not much help. > > > > Kind Regards, > > Barry Allard > > Systems Administrator > > Stanford Medical Informatics > > +1.650.723.7270 > > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From spng.yang at gmail.com Fri Aug 24 09:20:48 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 24 Aug 2007 17:20:48 +0800 Subject: A tool to generate missing requires for a SELinux module? In-Reply-To: <46CD5B03.8030303@altkom.pl> References: <46CD5B03.8030303@altkom.pl> Message-ID: <46CEA2F0.7080108@gmail.com> Aleksander Adamowski wrote: > Hi! > > I often find myself in a need for a tool that would scan a module's .te > file and generate the missing requires. > > It should determine all the missing requires, for which there are rules > in that module, in one pass, and present either the missing requires > only, or the full contents of the require {} section (in the second > case, it could merge the missing class permissions with any existing > permissions for given pre-existing classes). > > I know that I can use audit2allow to generate the requires for me with > -r switch, but it has 3 shortcomings: > > 1. It dumbly generates requires for all the classes/types/attributes > it sees - and since it doesn't know anything about intended module > where the rules will go to, it will probably generate requires for > types/attributes that are defined in that module. Such require > output, when blindly pasted into module's source, will generate > duplicate definition errors. > 2. It knows nothing about preexisting requires in the target module, > so it will spit out all of them and one has to remove duplicates > by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq") > 3. It won't help me if I write some rules by hand, not based on AVC > messages. > > I think the problem is widespread enough that someone could have written > a tool for that already - I'd like to know about that before I start > writing one myself :) you can ask selinux at tycho.nsa.gov, i rememeber there are some works in upstream similar to your idea. > From cpebenito at tresys.com Fri Aug 24 12:42:43 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 24 Aug 2007 08:42:43 -0400 Subject: [ANN] SETools 3.3.1 Release Message-ID: <1187959363.13874.148.camel@gorn> A new release of SETools is now available on the Tresys OSS site, from http://oss.tresys.com. This is a minor release, to fix a few minor issues seen in the 3.3 release. The complete change log for this release follows. SETools 3.3.1: * Fix to configure when Tcl is not found on build system; fix when compiling with --disable-gui option. * Fix to uninstall targets of Java wrappers. * Fix to libapol where transitive flows could return results that were supposed to be excluded; fixed memory leaks in infoflow graph generation. * Fix to libsefs when running MLS query on non-MLS fclists. * Fix to apol when reading older .apol files; fix copy and select all on certain tabs; fix to filter by attribute on some advanced dialogs. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From dwalsh at redhat.com Fri Aug 24 12:45:44 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Aug 2007 08:45:44 -0400 Subject: mixer_applet2 and execmod ?! In-Reply-To: <4c4ba1530708230823h65d96405r109dc69489ce74a3@mail.gmail.com> References: <4c4ba1530708230823h65d96405r109dc69489ce74a3@mail.gmail.com> Message-ID: <46CED2F8.8010802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > This just started (at least, I didn't notice this before): > > type=AVC msg=audit(1187881774.893:26): avc: denied { execmod } for > pid=3407 comm="mixer_applet2" path="/usr/lib/libtheora.so.0.2.0" > dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > type=SYSCALL msg=audit(1187881774.893:26): arch=40000003 syscall=125 > success=no exit=-13 a0=e87000 a1=48000 a2=5 a3=bf8f9200 items=0 > ppid=3395 pid=3407 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2" > exe="/usr/libexec/mixer_applet2" > subj=system_u:system_r:unconfined_t:s0 key=(null) > > tom Yes I already reported this bug on libtheora. I was hoping they fixed it before I put the textrel_shlib_t mapping. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGztL4rlYvE4MpobMRArG1AJ9i0EWGkcxlpgjqEV/uX2oPpcvsKACgpCkA ixguY7BD7D2TKKAfM6kIXxc= =fdLh -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Aug 24 12:47:00 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Aug 2007 08:47:00 -0400 Subject: gnome-keyring-daemon and ~/keyrings In-Reply-To: <4c4ba1530708230821jfd16cb0x50d41965131839ff@mail.gmail.com> References: <4c4ba1530708230821jfd16cb0x50d41965131839ff@mail.gmail.com> Message-ID: <46CED344.9060505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest Rawhide, targeted enforcing. > > Notice this: > > type=AVC msg=audit(1187879289.771:16): avc: denied { write } for > pid=3165 comm="gnome-keyring-d" name="keyrings" dev=dm-0 ino=131089 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:user_gnome_home_t:s0 tclass=dir > type=SYSCALL msg=audit(1187879289.771:16): arch=40000003 syscall=5 > success=no exit=-13 a0=9c7ea68 a1=80c2 a2=180 a3=80c2 items=0 ppid=1 > pid=3165 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 > egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-keyring-d" > exe="/usr/bin/gnome-keyring-daemon" > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > But 'ps agxZ | grep key' shows: > > [root at localhost lib]# ps agxZ | grep key > system_u:system_r:unconfined_t 3150 ? S 0:00 > /usr/bin/gnome-keyring-daemon > system_u:system_r:unconfined_t 3971 pts/0 S+ 0:00 grep key > [root at localhost lib]# > > pid in AVC says '3165', not 3150, so ..... > > What could this be? Leaked fd? > > tom I think this a new program that unlocks the gnome-keyring at login, so you don't need a secondary login. Probably this pam module should be after selinux context is set. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGztNDrlYvE4MpobMRAvXEAJ9Cxh+Ca1SpQYQdndpLHeZeU1dHbwCeN32C Q3PCcuPC2MOXMC7qARzriNw= =F7wq -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Aug 24 12:49:10 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Aug 2007 08:49:10 -0400 Subject: A tool to generate missing requires for a SELinux module? In-Reply-To: <46CEA2F0.7080108@gmail.com> References: <46CD5B03.8030303@altkom.pl> <46CEA2F0.7080108@gmail.com> Message-ID: <46CED3C6.7080404@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken YANG wrote: > Aleksander Adamowski wrote: >> Hi! >> >> I often find myself in a need for a tool that would scan a module's .te >> file and generate the missing requires. >> >> It should determine all the missing requires, for which there are rules >> in that module, in one pass, and present either the missing requires >> only, or the full contents of the require {} section (in the second >> case, it could merge the missing class permissions with any existing >> permissions for given pre-existing classes). >> >> I know that I can use audit2allow to generate the requires for me with >> -r switch, but it has 3 shortcomings: >> >> 1. It dumbly generates requires for all the classes/types/attributes >> it sees - and since it doesn't know anything about intended module >> where the rules will go to, it will probably generate requires for >> types/attributes that are defined in that module. Such require >> output, when blindly pasted into module's source, will generate >> duplicate definition errors. >> 2. It knows nothing about preexisting requires in the target module, >> so it will spit out all of them and one has to remove duplicates >> by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq") >> 3. It won't help me if I write some rules by hand, not based on AVC >> messages. >> >> I think the problem is widespread enough that someone could have written >> a tool for that already - I'd like to know about that before I start >> writing one myself :) > > you can ask selinux at tycho.nsa.gov, i rememeber there are some works in > upstream similar to your idea. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list THe best idea is to get rid of gen_requires altogether, and have the linker/compiler figure it out. This is being worked on in the new polgen implementation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGztPGrlYvE4MpobMRAoKKAJ9xYQPOBfo3j0P1nbVbEDNLAzddvwCgqsOA n7ipNIUbcqyoI0e+lBUTfBE= =RrkG -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Aug 24 12:57:37 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Aug 2007 08:57:37 -0400 Subject: rhel selinux question In-Reply-To: <46CE9F2C.2070509@gmail.com> References: <020001c7e5b2$1d6d24e0$1c2141ab@stanford.edu> <46CE9F2C.2070509@gmail.com> Message-ID: <46CED5C1.1020303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken YANG wrote: > Barry Allard wrote: >> If someone would be so kind to answer a noob question. When installing an >> apache authentication extension called WebAuth (3.5.4), it works great with >> selinux disabled (setenforce 0), but turn on enforcement (setenforce 1), >> bam, cant read/write the necessary files. To selinux, perhaps it looks like >> rogue code trying to modify configuration files. >> >> >> >> Files: >> >> /etc/httpd/conf/webauth/keytab >> >> /etc/httpd/conf/webauth/keyring >> >> /etc/httpd/conf/webauth/service_token_cache >> >> First off if these files need to be written to by a daemon, I would suggest to the author, they be moved to /var, which is where variable data should be, I think if you label the directory httpd_sys_script_rw_t these avc's will dissapear chcon -R -t httpd_sys_script_rw_t /etc/httpd/conf/webauth Of course this will allow all system scripts to rw these files, DAC permissions are still in effect. Is this package in Fedora? >> >> Messages: >> >> audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd" >> name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0 >> tcontext=root:object_r:httpd_config_t:s0 tclass=dir >> >> audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd" >> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 >> tcontext=root:object_r:user_home_t:s0 tclass=file >> >> audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd" >> name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0 >> tcontext=root:object_r:user_home_t:s0 tclass=file >> >> audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd" >> name="service_token_cache" dev=dm-0 ino=66426 >> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0 >> tclass=file >> >> >> >> audit2allow says >> >> "allow httpd_t httpd_config_t:dir write; >> >> allow httpd_t httpd_config_t:file write; >> >> allow httpd_t user_home_t:file read;" >> >> but this seems arbitrarily permissive. >> >> >> >> What would give only access read/write access these three files? Sorry if >> this is off-topic. > > if you only want to permit to access these three files, you can define > specific type about these files, e.g. webauth_config_t, and associate > these types with corresponding files in ".fc" file. > > after installing your own module, you restorecon the label of your > files, then this policy module will give access only to these files > > >> >> >> Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already: >> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ >> not much help. >> >> >> >> Kind Regards, >> >> Barry Allard >> >> Systems Administrator >> >> Stanford Medical Informatics >> >> +1.650.723.7270 >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGztXBrlYvE4MpobMRAnswAJ9BrofqSTGJpWCK6mt+RoAp4zSeiQCePxtc Xg/pabIY2cuIuasK6418IXY= =hmGn -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Aug 24 13:00:06 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Aug 2007 09:00:06 -0400 Subject: ps not showing contexts? In-Reply-To: <46CE34B2.3020405@kobold.org> References: <46CE34B2.3020405@kobold.org> Message-ID: <46CED656.5090902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wart wrote: > After a month's worth of rawhide updates, I noticed that ps is no longer > reporting the contexts for processes: > > [root at localhost audit]# selinuxenabled && echo $? > 0 > [root at localhost audit]# rpm -q selinux-policy-targeted > selinux-policy-targeted-3.0.5-11.fc8 > [root at localhost ~]# ps auwxZ | tail > - gdm 2422 0.2 5.7 80604 29540 ? > Ss 21:58 0:03 /usr/libexec/gdmgreeter > --gtk-module=gail:atk-bridge:/usr/lib/gtk-2.0/modules/libkeymouselistener > - gdm 2424 0.4 0.7 13272 3956 ? > S 21:58 0:05 /usr/libexec/at-spi-registryd > - gdm 2426 0.0 0.5 38748 2700 ? > Ssl 21:58 0:00 /usr/libexec/bonobo-activation-server > --ac-activate --ior-output-fd=13 > > Any ideas what may have caused this to stop working? > > --Wart > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Works for me. Also you selinux-policy is out of date. # rpm -q selinux-policy selinux-policy-3.0.6-1.fc8 # rpm -qf /bin/ps procps-3.2.7-14.fc8 ps auwxZ | head -10 LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND system_u:system_r:init_t:s0 root 1 0.0 0.0 2152 632 ? Ss Aug20 0:07 init [5] system_u:system_r:kernel_t:s0 root 2 0.0 0.0 0 0 ? S< Aug20 0:00 [kthreadd] system_u:system_r:kernel_t:s0 root 3 0.0 0.0 0 0 ? S< Aug20 0:00 [migration/0] system_u:system_r:kernel_t:s0 root 4 0.0 0.0 0 0 ? S< Aug20 0:00 [ksoftirqd/0] system_u:system_r:kernel_t:s0 root 5 0.0 0.0 0 0 ? S< Aug20 0:00 [watchdog/0] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGztZVrlYvE4MpobMRAnACAKDXtCyrzOTHVXS+N+O7JBMlA8MiXACggHDD oOVJ+/0t8d5UhIOZr5ICpeA= =v30z -----END PGP SIGNATURE----- From dsugar at tresys.com Fri Aug 24 16:54:44 2007 From: dsugar at tresys.com (Dave Sugar) Date: Fri, 24 Aug 2007 12:54:44 -0400 Subject: ANN: SELinux Policy IDE (SLIDE) version 1.2 Message-ID: <1187974484.17434.6.camel@localhost.localdomain> Version 1.2 of the SELinux Policy IDE (SLIDE) from Tresys Technology is now available for download from the Tresys Open source website at http://oss.tresys.com. SLIDE is an Eclipse plug-in that integrates with the SELinux Reference Policy to provide a development environment for building SELinux policy. SLIDE Features: * A graphical user interface for policy development, including policy syntax highlighting, context suggestions, and integrated compilation. * Integration with SELinux Reference Policy, including quick lookup and documentation for interfaces and macros. * Wizards and easy to use templates to automate common tasks from creating a new SELinux policy to adding an interface into an existing module. * Integrated remote policy installation and audit log monitoring, to facilitate policy testing. * Seamless integration with the power of standard Eclipse. Version 1.2 highlights: * Graphical interface for network configuration via corenetwork. * Added auto completion, context help, and tool tip descriptions for Reference Policy macros, as well as including macros in the interface view and showing their definitions in the declaration view. * Improved documentation on the open source web site. * Updates to work with SETools version 3.3. * Fixed problems with the Console output. * Bugs fixed with undo/redo when toggling commenting on numerous lines of policy. If you would like to contribute, currently the best help would be to test and provide feedback on the SLIDE plugin and SLIDE Remote. Dave Sugar Tresys Technology, LLC From psilva at certisign.com.br Fri Aug 24 19:56:58 2007 From: psilva at certisign.com.br (Pedro Silva) Date: Fri, 24 Aug 2007 16:56:58 -0300 Subject: SELinux and Bugzilla Message-ID: <46CF380A.1090503@certisign.com.br> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Certisign Type: image/jpeg Size: 5484 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5793 bytes Desc: S/MIME Cryptographic Signature URL: From dwalsh at redhat.com Fri Aug 24 21:17:13 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Aug 2007 17:17:13 -0400 Subject: sendmail->nscd log noise? In-Reply-To: References: Message-ID: <46CF4AD9.4030902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason L Tibbitts III wrote: > These keep appearing in my logs and logwatch spams me about it daily. > Does it actually indicate any type of problem? If not, I guess this > merits a ticket against logwatch. > > audit(1187812814.448:127): user pid=2725 uid=28 auid=4294967295 > subj=system_u:system_r:nscd_t:s0 msg='avc: granted null for > scontext=system_u:system_r:sendmail_t:s0 > tcontext=system_u:system_r:nscd_t:s0 tclass=nscd > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I have no idea? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGz0rZrlYvE4MpobMRAmFKAKCly08SVXFxIWWSvOx5rThbyJZ93wCeJHTW kqCX+sT55AbUsJ8b82AcLbc= =pG0d -----END PGP SIGNATURE----- From selinux at gmail.com Sat Aug 25 00:51:58 2007 From: selinux at gmail.com (Tom London) Date: Fri, 24 Aug 2007 17:51:58 -0700 Subject: /dev/shm - tmpfs_t or device_t ? Message-ID: <4c4ba1530708241751w46a3c03bkba517bcfccc6030b@mail.gmail.com> Running latest Rawhide, targeted/enforcing. I notice that if I run 'restorecon -v -R -n /dev' I get: [root at localhost ~]# restorecon -v -R -n /dev restorecon reset /dev/shm context system_u:object_r:tmpfs_t:s0->system_u:object_r:device_t:s0 [root at localhost ~]# but [root at localhost ~]# ls -ldZ /dev/shm drwxrwxrwt root root system_u:object_r:tmpfs_t /dev/shm [root at localhost ~]# Seems funny to me.... Is that right? tom -- Tom London From spng.yang at gmail.com Sat Aug 25 04:48:55 2007 From: spng.yang at gmail.com (Ken YANG) Date: Sat, 25 Aug 2007 12:48:55 +0800 Subject: /dev/shm - tmpfs_t or device_t ? In-Reply-To: <4c4ba1530708241751w46a3c03bkba517bcfccc6030b@mail.gmail.com> References: <4c4ba1530708241751w46a3c03bkba517bcfccc6030b@mail.gmail.com> Message-ID: <46CFB4B7.4020203@gmail.com> Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > I notice that if I run 'restorecon -v -R -n /dev' I get: > [root at localhost ~]# restorecon -v -R -n /dev > restorecon reset /dev/shm context > system_u:object_r:tmpfs_t:s0->system_u:object_r:device_t:s0 > [root at localhost ~]# > > but > [root at localhost ~]# ls -ldZ /dev/shm > drwxrwxrwt root root system_u:object_r:tmpfs_t /dev/shm > [root at localhost ~]# > > Seems funny to me.... Is that right? i found your resorecon command run with "-n", that option means: -n don't change any file labels. additionally, i found there are not any label in file_contexts, so i think if there no type_transition rules in policy, the file label should be inherited from his containing dir, i.e. device_t > > tom From dwalsh at redhat.com Sat Aug 25 09:04:04 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 25 Aug 2007 05:04:04 -0400 Subject: /dev/shm - tmpfs_t or device_t ? In-Reply-To: <4c4ba1530708241751w46a3c03bkba517bcfccc6030b@mail.gmail.com> References: <4c4ba1530708241751w46a3c03bkba517bcfccc6030b@mail.gmail.com> Message-ID: <46CFF084.4030803@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > I notice that if I run 'restorecon -v -R -n /dev' I get: > [root at localhost ~]# restorecon -v -R -n /dev > restorecon reset /dev/shm context > system_u:object_r:tmpfs_t:s0->system_u:object_r:device_t:s0 > [root at localhost ~]# > > but > [root at localhost ~]# ls -ldZ /dev/shm > drwxrwxrwt root root system_u:object_r:tmpfs_t /dev/shm > [root at localhost ~]# > > Seems funny to me.... Is that right? > > tom Steven would be better at answering this then me. But restorecon is looking at the what matchpathcon tells it and it is tmpfs_t, but there is actually a tmpfs_t file system moujnted here. So we probably could change the file context of the /dev/shm to tmpfs_t to stop restorecon from trying to change it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGz/CErlYvE4MpobMRAqTUAJsHHXMdcSAO2bwJBxo0w/8uMb7pMgCfVkPm oZSX/oBX27YlNtnYgkaBVgs= =22pn -----END PGP SIGNATURE----- From wart at kobold.org Sat Aug 25 22:24:42 2007 From: wart at kobold.org (Wart) Date: Sat, 25 Aug 2007 15:24:42 -0700 Subject: ps not showing contexts? In-Reply-To: <46CED656.5090902@redhat.com> References: <46CE34B2.3020405@kobold.org> <46CED656.5090902@redhat.com> Message-ID: <46D0AC2A.3050803@kobold.org> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Wart wrote: >> After a month's worth of rawhide updates, I noticed that ps is no longer >> reporting the contexts for processes: >> >> [root at localhost audit]# selinuxenabled && echo $? >> 0 >> [root at localhost audit]# rpm -q selinux-policy-targeted >> selinux-policy-targeted-3.0.5-11.fc8 >> [root at localhost ~]# ps auwxZ | tail >> - gdm 2422 0.2 5.7 80604 29540 ? >> Ss 21:58 0:03 /usr/libexec/gdmgreeter >> --gtk-module=gail:atk-bridge:/usr/lib/gtk-2.0/modules/libkeymouselistener >> - gdm 2424 0.4 0.7 13272 3956 ? >> S 21:58 0:05 /usr/libexec/at-spi-registryd >> - gdm 2426 0.0 0.5 38748 2700 ? >> Ssl 21:58 0:00 /usr/libexec/bonobo-activation-server >> --ac-activate --ior-output-fd=13 >> >> Any ideas what may have caused this to stop working? >> >> --Wart >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Works for me. Also you selinux-policy is out of date. > > > # rpm -q selinux-policy > selinux-policy-3.0.6-1.fc8 > # rpm -qf /bin/ps > procps-3.2.7-14.fc8 > > > ps auwxZ | head -10 > LABEL USER PID %CPU %MEM VSZ RSS > TTY STAT START TIME COMMAND > system_u:system_r:init_t:s0 root 1 0.0 0.0 2152 632 ? > Ss Aug20 0:07 init [5] > system_u:system_r:kernel_t:s0 root 2 0.0 0.0 0 0 ? > S< Aug20 0:00 [kthreadd] > system_u:system_r:kernel_t:s0 root 3 0.0 0.0 0 0 ? > S< Aug20 0:00 [migration/0] > system_u:system_r:kernel_t:s0 root 4 0.0 0.0 0 0 ? > S< Aug20 0:00 [ksoftirqd/0] > system_u:system_r:kernel_t:s0 root 5 0.0 0.0 0 0 ? > S< Aug20 0:00 [watchdog/0] Still no luck. I restored the machine to a previously working state, and then upgraded both procps and *selinux*. Immediately after the upgrade ps stopped showing contexts again. [...] Updated: libselinux.i386 0:2.0.31-2.fc8 libselinux-python.i386 0:2.0.31-2.fc8 selinux-policy.noarch 0:3.0.6-3.fc8 selinux-policy-devel.noarch 0:3.0.6-3.fc8 selinux-policy-targeted.noarch 0:3.0.6-3.fc8 Dependency Updated: libsemanage.i386 0:2.0.4-1.fc8 libsepol.i386 0:2.0.7-1.fc8 policycoreutils.i386 0:2.0.25-2.fc8 policycoreutils-gui.i386 0:2.0.25-2.fc8 Complete! [root at localhost ~]# ps auwxZ | head LABEL USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND - root 1 0.0 0.1 2108 624 ? Ss 02:30 0:02 init [5] - root 2 0.0 0.0 0 0 ? S< 02:30 0:00 [kthreadd] - root 3 0.0 0.0 0 0 ? S< 02:30 0:00 [migration/0] - root 4 0.0 0.0 0 0 ? S< 02:30 0:00 [ksoftirqd/0] - root 5 0.0 0.0 0 0 ? S< 02:30 0:00 [watchdog/0] - root 6 0.0 0.0 0 0 ? S< 02:30 0:00 [events/0] - root 7 0.0 0.0 0 0 ? S< 02:30 0:00 [khelper] - root 58 0.0 0.0 0 0 ? S< 02:30 0:00 [kblockd/0] - root 61 0.0 0.0 0 0 ? S< 02:30 0:00 [kacpid] [root at localhost ~]# rpm -q selinux-policy selinux-policy-3.0.6-3.fc8 [root at localhost ~]# rpm -q procps procps-3.2.7-15.1.fc8 When I get some time I'll start with a fresh F-7 install and then upgrade to rawhide. Maybe some intermediate update broke things beyond repair. --Wart From wart at kobold.org Sun Aug 26 17:39:35 2007 From: wart at kobold.org (Wart) Date: Sun, 26 Aug 2007 10:39:35 -0700 Subject: ps not showing contexts? In-Reply-To: <46D0AC2A.3050803@kobold.org> References: <46CE34B2.3020405@kobold.org> <46CED656.5090902@redhat.com> <46D0AC2A.3050803@kobold.org> Message-ID: <46D1BAD7.5010102@kobold.org> Wart wrote: [...] > Still no luck. I restored the machine to a previously working state, and > then upgraded both procps and *selinux*. Immediately after the upgrade ps > stopped showing contexts again. > > [...] Updated: libselinux.i386 0:2.0.31-2.fc8 libselinux-python.i386 > 0:2.0.31-2.fc8 selinux-policy.noarch 0:3.0.6-3.fc8 > selinux-policy-devel.noarch 0:3.0.6-3.fc8 selinux-policy-targeted.noarch > 0:3.0.6-3.fc8 Dependency Updated: libsemanage.i386 0:2.0.4-1.fc8 > libsepol.i386 0:2.0.7-1.fc8 policycoreutils.i386 0:2.0.25-2.fc8 > policycoreutils-gui.i386 0:2.0.25-2.fc8 Complete! [root at localhost ~]# ps > auwxZ | head LABEL USER PID %CPU %MEM > VSZ RSS TTY STAT START TIME COMMAND - > root 1 0.0 0.1 2108 624 ? Ss 02:30 0:02 init [5] - > root 2 0.0 0.0 0 0 ? S< 02:30 0:00 [kthreadd] - > root 3 0.0 0.0 0 0 ? S< 02:30 0:00 [migration/0] - > root 4 0.0 0.0 0 0 ? S< 02:30 0:00 [ksoftirqd/0] - > root 5 0.0 0.0 0 0 ? S< 02:30 0:00 [watchdog/0] - > root 6 0.0 0.0 0 0 ? S< 02:30 0:00 [events/0] - > root 7 0.0 0.0 0 0 ? S< 02:30 0:00 [khelper] - > root 58 0.0 0.0 0 0 ? S< 02:30 0:00 [kblockd/0] - > root 61 0.0 0.0 0 0 ? S< 02:30 0:00 [kacpid] > [root at localhost ~]# rpm -q selinux-policy selinux-policy-3.0.6-3.fc8 > [root at localhost ~]# rpm -q procps procps-3.2.7-15.1.fc8 > > When I get some time I'll start with a fresh F-7 install and then upgrade > to rawhide. Maybe some intermediate update broke things beyond repair. I think I found the problem. 'ps' tries to find and open 'libselinux.so'. At some point this library was moved from libselinux to libselinux-devel. Since I didn't have libselinux-devel installed, ps failed to load the library and find the selinux context information. Installing libselinux-devel fixes the problem. I see three possible ways to fix this: 1) Move libselinux.so back to libselinux 2) Add 'Requires: libselinux-devel' to procps 3) Fix ps to load libselinux.so.1 instead of the unversioned .so file. --Wart From dwalsh at redhat.com Mon Aug 27 14:05:47 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Aug 2007 10:05:47 -0400 Subject: ps not showing contexts? In-Reply-To: <46D1BAD7.5010102@kobold.org> References: <46CE34B2.3020405@kobold.org> <46CED656.5090902@redhat.com> <46D0AC2A.3050803@kobold.org> <46D1BAD7.5010102@kobold.org> Message-ID: <46D2DA3B.1060707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wart wrote: > Wart wrote: > [...] >> Still no luck. I restored the machine to a previously working state, and >> then upgraded both procps and *selinux*. Immediately after the >> upgrade ps >> stopped showing contexts again. >> >> [...] Updated: libselinux.i386 0:2.0.31-2.fc8 libselinux-python.i386 >> 0:2.0.31-2.fc8 selinux-policy.noarch 0:3.0.6-3.fc8 >> selinux-policy-devel.noarch 0:3.0.6-3.fc8 >> selinux-policy-targeted.noarch 0:3.0.6-3.fc8 Dependency Updated: >> libsemanage.i386 0:2.0.4-1.fc8 >> libsepol.i386 0:2.0.7-1.fc8 policycoreutils.i386 0:2.0.25-2.fc8 >> policycoreutils-gui.i386 0:2.0.25-2.fc8 Complete! [root at localhost ~]# ps >> auwxZ | head LABEL USER PID %CPU %MEM >> VSZ RSS TTY STAT START TIME COMMAND - >> root 1 0.0 0.1 2108 624 ? Ss 02:30 0:02 init [5] - >> root 2 0.0 0.0 0 0 ? S< 02:30 0:00 [kthreadd] - >> root 3 0.0 0.0 0 0 ? S< 02:30 0:00 [migration/0] - >> root 4 0.0 0.0 0 0 ? S< 02:30 0:00 [ksoftirqd/0] - >> root 5 0.0 0.0 0 0 ? S< 02:30 0:00 [watchdog/0] - >> root 6 0.0 0.0 0 0 ? S< 02:30 0:00 [events/0] - >> root 7 0.0 0.0 0 0 ? S< 02:30 0:00 [khelper] - >> root 58 0.0 0.0 0 0 ? S< 02:30 0:00 [kblockd/0] - >> root 61 0.0 0.0 0 0 ? S< 02:30 0:00 [kacpid] >> [root at localhost ~]# rpm -q selinux-policy selinux-policy-3.0.6-3.fc8 >> [root at localhost ~]# rpm -q procps procps-3.2.7-15.1.fc8 >> >> When I get some time I'll start with a fresh F-7 install and then upgrade >> to rawhide. Maybe some intermediate update broke things beyond repair. > > I think I found the problem. > > 'ps' tries to find and open 'libselinux.so'. At some point this library > was > moved from libselinux to libselinux-devel. Since I didn't have > libselinux-devel installed, ps failed to load the library and find the > selinux > context information. > > Installing libselinux-devel fixes the problem. > > I see three possible ways to fix this: > > 1) Move libselinux.so back to libselinux > 2) Add 'Requires: libselinux-devel' to procps > 3) Fix ps to load libselinux.so.1 instead of the unversioned .so file. > > --Wart I will move it back to libselinux package. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG0to7rlYvE4MpobMRAqTiAKCyA885829lyNeWmB6NoX4wN0CGXQCfTkUc leJSej/oK5L4HF/xNo3/Dd0= =ykFr -----END PGP SIGNATURE----- From wart at kobold.org Mon Aug 27 18:52:00 2007 From: wart at kobold.org (Michael Thomas) Date: Mon, 27 Aug 2007 11:52:00 -0700 Subject: ps not showing contexts? In-Reply-To: <46D2DA3B.1060707@redhat.com> References: <46CE34B2.3020405@kobold.org> <46CED656.5090902@redhat.com> <46D0AC2A.3050803@kobold.org> <46D1BAD7.5010102@kobold.org> <46D2DA3B.1060707@redhat.com> Message-ID: <46D31D50.6010700@kobold.org> Daniel J Walsh wrote: > Wart wrote: >> Wart wrote: >> [...] >>> Still no luck. I restored the machine to a previously working state, and >>> then upgraded both procps and *selinux*. Immediately after the >>> upgrade ps >>> stopped showing contexts again. >>> >>> [...] Updated: libselinux.i386 0:2.0.31-2.fc8 libselinux-python.i386 >>> 0:2.0.31-2.fc8 selinux-policy.noarch 0:3.0.6-3.fc8 >>> selinux-policy-devel.noarch 0:3.0.6-3.fc8 >>> selinux-policy-targeted.noarch 0:3.0.6-3.fc8 Dependency Updated: >>> libsemanage.i386 0:2.0.4-1.fc8 >>> libsepol.i386 0:2.0.7-1.fc8 policycoreutils.i386 0:2.0.25-2.fc8 >>> policycoreutils-gui.i386 0:2.0.25-2.fc8 Complete! [root at localhost ~]# ps >>> auwxZ | head LABEL USER PID %CPU %MEM >>> VSZ RSS TTY STAT START TIME COMMAND - >>> root 1 0.0 0.1 2108 624 ? Ss 02:30 0:02 init [5] - >>> root 2 0.0 0.0 0 0 ? S< 02:30 0:00 [kthreadd] - >>> root 3 0.0 0.0 0 0 ? S< 02:30 0:00 [migration/0] - >>> root 4 0.0 0.0 0 0 ? S< 02:30 0:00 [ksoftirqd/0] - >>> root 5 0.0 0.0 0 0 ? S< 02:30 0:00 [watchdog/0] - >>> root 6 0.0 0.0 0 0 ? S< 02:30 0:00 [events/0] - >>> root 7 0.0 0.0 0 0 ? S< 02:30 0:00 [khelper] - >>> root 58 0.0 0.0 0 0 ? S< 02:30 0:00 [kblockd/0] - >>> root 61 0.0 0.0 0 0 ? S< 02:30 0:00 [kacpid] >>> [root at localhost ~]# rpm -q selinux-policy selinux-policy-3.0.6-3.fc8 >>> [root at localhost ~]# rpm -q procps procps-3.2.7-15.1.fc8 >>> >>> When I get some time I'll start with a fresh F-7 install and then upgrade >>> to rawhide. Maybe some intermediate update broke things beyond repair. >> I think I found the problem. > >> 'ps' tries to find and open 'libselinux.so'. At some point this library >> was >> moved from libselinux to libselinux-devel. Since I didn't have >> libselinux-devel installed, ps failed to load the library and find the >> selinux >> context information. > >> Installing libselinux-devel fixes the problem. > >> I see three possible ways to fix this: > >> 1) Move libselinux.so back to libselinux >> 2) Add 'Requires: libselinux-devel' to procps >> 3) Fix ps to load libselinux.so.1 instead of the unversioned .so file. > >> --Wart > I will move it back to libselinux package. The procps owner is also going to change ps to load libselinux.so.1 (BZ# 255441) Both of these changes should make it far less likely to be a problem again. Thanks, --Wart From ballard at stanford.edu Mon Aug 27 22:47:42 2007 From: ballard at stanford.edu (Barry Allard) Date: Mon, 27 Aug 2007 15:47:42 -0700 Subject: rhel selinux question In-Reply-To: <46CFE985.8090100@redhat.com> References: <020001c7e5b2$1d6d24e0$1c2141ab@stanford.edu> <46CE9F2C.2070509@gmail.com> <46CED5C1.1020303@redhat.com> <001a01c7e680$a5aa43f0$1c2141ab@stanford.edu> <46CF2D8D.2090708@redhat.com> <002d01c7e683$24a8b950$1c2141ab@stanford.edu> <46CF45D7.7030301@redhat.com> <004e01c7e6a1$bea1b3e0$1c2141ab@stanford.edu> <46CFE985.8090100@redhat.com> Message-ID: <00c801c7e8fc$4792bcb0$1c2141ab@stanford.edu> Follow-up: went with this and it works now: /etc/httpd/conf/webauth/keytab -> /etc/webauth/ /etc/httpd/conf/webauth/keyring -> /var/lib/webauth/ /etc/httpd/conf/webauth/service_token_cache -> /var/lib/webauth/ /etc/httpd/conf/webauth/krb5cc_ldap -> /var/lib/webauth/ chcon -R -t httpd_sys_script_rw_t /var/lib/webauth/ Installer script source available upon request. Much thanks to Daniel Walsh and Ken Yang for pointing me in the right direction. Barry From anebi at iguanait.com Tue Aug 28 07:42:32 2007 From: anebi at iguanait.com (Ali Nebi) Date: Tue, 28 Aug 2007 10:42:32 +0300 Subject: Some questions about /dev/twe* and selinux context Message-ID: <1188286952.5346.11.camel@hugo.iguanait.com> Hi all, i have some problems with selinux context about /dev/twe* I get these messages: Aug 28 08:41:19 w3host kernel: audit(1188283279.352:167): avc: denied { getattr } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 scontext=system_u:system_r:fsdaem on_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Aug 28 08:41:19 w3host kernel: audit(1188283279.388:168): avc: denied { read } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 scontext=system_u:system_r:fsdaemon_ t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Aug 28 08:41:19 w3host kernel: audit(1188283279.445:169): avc: denied { ioctl } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 scontext=system_u:system_r:fsdaemon _t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file I know that /dev/twe* must have fixed_disk_device_t context. When i fix it with chcon -t fixed_disk_device_t /dev/twe* the avc stop to audit for this. Everything works ok. When i restarted the system, the context changed to device_t again. I wrote in rc.local the command to change cotentext, but it returned me "no such file or directory". I know that twe* devices are created automatically on boot, so let's say that this is no problem. I decided to use semanage to add rule for /dev/twe* like this: /usr/sbin/semanage fcontext -a -f -c -t fixed_disk_device_t "/dev/twe*" After reboot, the result was the same, the context is device_t :( When i used restorecon command: /sbin/restorecon /dev/twe* it changed the context to fixed_disk_device_t So the questions are: 1. Where i make mistake 2. What can i do to fix this problem ? Regards, Ali Nebi! From spng.yang at gmail.com Tue Aug 28 08:51:39 2007 From: spng.yang at gmail.com (Ken YANG) Date: Tue, 28 Aug 2007 16:51:39 +0800 Subject: Some questions about /dev/twe* and selinux context In-Reply-To: <1188286952.5346.11.camel@hugo.iguanait.com> References: <1188286952.5346.11.camel@hugo.iguanait.com> Message-ID: <46D3E21B.7030603@gmail.com> Ali Nebi wrote: > Hi all, > > i have some problems with selinux context about /dev/twe* > > I get these messages: > > Aug 28 08:41:19 w3host kernel: audit(1188283279.352:167): avc: denied > { getattr } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 > scontext=system_u:system_r:fsdaem > on_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file > Aug 28 08:41:19 w3host kernel: audit(1188283279.388:168): avc: denied > { read } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 > scontext=system_u:system_r:fsdaemon_ > t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file > Aug 28 08:41:19 w3host kernel: audit(1188283279.445:169): avc: denied > { ioctl } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 > scontext=system_u:system_r:fsdaemon > _t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file > > I know that /dev/twe* must have fixed_disk_device_t context. > > When i fix it with chcon -t fixed_disk_device_t /dev/twe* the avc stop > to audit for this. Everything works ok. When i restarted the system, the > context changed to device_t again. I wrote in rc.local the command to > change cotentext, but it returned me "no such file or directory". I know > that twe* devices are created automatically on boot, so let's say that > this is no problem. I decided to use semanage to add rule for /dev/twe* > like this: > /usr/sbin/semanage fcontext -a -f -c -t fixed_disk_device_t "/dev/twe*" > > After reboot, the result was the same, the context is device_t :( > When i used restorecon command: > /sbin/restorecon /dev/twe* > it changed the context to fixed_disk_device_t > > So the questions are: > > 1. Where i make mistake i have not these device files, but as you said, they are created automatically, so the content of file_contexts is useless in this situation, except that the program restorecon after creation > 2. What can i do to fix this problem ? two methods, one is modify the program as what i mentioned above. vmware had similar problems, which can resolved by modifying net-service.sh. another method is to write policy, using Transition-based rules, so the files will be labeled rightly after creating. IIRC, "/dev" is tmpfs_t, so you should use Transition-based > > Regards, Ali Nebi! > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Tue Aug 28 10:24:21 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 28 Aug 2007 06:24:21 -0400 Subject: Some questions about /dev/twe* and selinux context In-Reply-To: <1188286952.5346.11.camel@hugo.iguanait.com> References: <1188286952.5346.11.camel@hugo.iguanait.com> Message-ID: <46D3F7D5.9040301@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ali Nebi wrote: > Hi all, > > i have some problems with selinux context about /dev/twe* > > I get these messages: > > Aug 28 08:41:19 w3host kernel: audit(1188283279.352:167): avc: denied > { getattr } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 > scontext=system_u:system_r:fsdaem > on_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file > Aug 28 08:41:19 w3host kernel: audit(1188283279.388:168): avc: denied > { read } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 > scontext=system_u:system_r:fsdaemon_ > t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file > Aug 28 08:41:19 w3host kernel: audit(1188283279.445:169): avc: denied > { ioctl } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 > scontext=system_u:system_r:fsdaemon > _t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file > > I know that /dev/twe* must have fixed_disk_device_t context. > > When i fix it with chcon -t fixed_disk_device_t /dev/twe* the avc stop > to audit for this. Everything works ok. When i restarted the system, the > context changed to device_t again. I wrote in rc.local the command to > change cotentext, but it returned me "no such file or directory". I know > that twe* devices are created automatically on boot, so let's say that > this is no problem. I decided to use semanage to add rule for /dev/twe* > like this: > /usr/sbin/semanage fcontext -a -f -c -t fixed_disk_device_t "/dev/twe*" > THe syntax here is wrong /dev/twe.* would be correct, although there is aleady context for this, so this is not necessary. > After reboot, the result was the same, the context is device_t :( > When i used restorecon command: > /sbin/restorecon /dev/twe* > it changed the context to fixed_disk_device_t > > So the questions are: > > 1. Where i make mistake > 2. What can i do to fix this problem ? > > Regards, Ali Nebi! > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Who is creating the /dev/twe devices? This is the problem. This app should be made SELinux aware, or use udev or execute restorecon after creating the device. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG0/fVrlYvE4MpobMRAkn/AJ4k2dzUjU96V/ERb6/pg2SDQEfoUQCfb9Zl jFcX5QI1RnmveDkSaJ24KqI= =wcCF -----END PGP SIGNATURE----- From bruno at wolff.to Tue Aug 28 13:42:44 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Tue, 28 Aug 2007 08:42:44 -0500 Subject: Some questions about /dev/twe* and selinux context In-Reply-To: <46D3F7D5.9040301@redhat.com> References: <1188286952.5346.11.camel@hugo.iguanait.com> <46D3F7D5.9040301@redhat.com> Message-ID: <20070828134244.GA27503@wolff.to> On Tue, Aug 28, 2007 at 06:24:21 -0400, Daniel J Walsh wrote: > > Who is creating the /dev/twe devices? This is the problem. This app > should be made SELinux aware, or use udev or execute restorecon after > creating the device. I think there is already a bugzilla about this. There are apparantly some character devices used to communicate with a raid card that are only used by smart{d,ctl}. Bruce Allen is looking for suggestions about the right way to do this and there is a thread discussing it on the smartmontools list. From selinux at gmail.com Tue Aug 28 17:30:59 2007 From: selinux at gmail.com (Tom London) Date: Tue, 28 Aug 2007 10:30:59 -0700 Subject: senmail, /etc/aliases.db .... Message-ID: <4c4ba1530708281030y6034c89ar4f07804e4fa1630@mail.gmail.com> Running Rawhide, targeted/enforcing. Notice this in /var/log/audit/audit.log: type=AVC msg=audit(1188316403.485:16): avc: denied { create } for pid=2704 comm="newaliases" name="aliases.db" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file type=SYSCALL msg=audit(1188316403.485:16): arch=40000003 syscall=5 success=no exit=-13 a0=bfa8ddd8 a1=c2 a2=1a0 a3=c2 items=0 ppid=2691 pid=2704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="newaliases" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) Looks like it is occurring when sendmail gets started during boot. Running /usr/bin/newalises manually at root console works with no AVCs, but leaves /etc/aliases.db with the 'wrong' label: [root at localhost ~]# ls -Zl /etc/alia* -rw-r--r-- 1 system_u:object_r:etc_aliases_t root root 1512 2005-04-25 09:48 /etc/aliases -rw-r----- 1 system_u:object_r:etc_t root smmsp 12288 2007-08-28 10:27 /etc/aliases.db [root at localhost ~]# restorecon -v /etc/alias* restorecon reset /etc/aliases.db context system_u:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0 [root at localhost ~]# Should /etc/init.d/sendmail fix the label after running newalises? tom -- Tom London From paul at city-fan.org Tue Aug 28 20:28:16 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 28 Aug 2007 21:28:16 +0100 Subject: senmail, /etc/aliases.db .... In-Reply-To: <4c4ba1530708281030y6034c89ar4f07804e4fa1630@mail.gmail.com> References: <4c4ba1530708281030y6034c89ar4f07804e4fa1630@mail.gmail.com> Message-ID: <20070828212816.54f1ad40@metropolis.intra.city-fan.org> On Tue, 28 Aug 2007 10:30:59 -0700 "Tom London" wrote: > Running Rawhide, targeted/enforcing. > > Notice this in /var/log/audit/audit.log: > > type=AVC msg=audit(1188316403.485:16): avc: denied { create } for > pid=2704 comm="newaliases" name="aliases.db" > scontext=system_u:system_r:sendmail_t:s0 > tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file > type=SYSCALL msg=audit(1188316403.485:16): arch=40000003 syscall=5 > success=no exit=-13 a0=bfa8ddd8 a1=c2 a2=1a0 a3=c2 items=0 ppid=2691 > pid=2704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 > sgid=51 fsgid=51 tty=(none) comm="newaliases" > exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 > key=(null) > > Looks like it is occurring when sendmail gets started during boot. > > Running /usr/bin/newalises manually at root console works with no > AVCs, but leaves /etc/aliases.db with the 'wrong' label: > > [root at localhost ~]# ls -Zl /etc/alia* > -rw-r--r-- 1 system_u:object_r:etc_aliases_t root root 1512 > 2005-04-25 09:48 /etc/aliases > -rw-r----- 1 system_u:object_r:etc_t root smmsp 12288 > 2007-08-28 10:27 /etc/aliases.db > [root at localhost ~]# restorecon -v /etc/alias* > restorecon reset /etc/aliases.db context > system_u:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0 > [root at localhost ~]# > > Should /etc/init.d/sendmail fix the label after running newalises? Possibly, but running newaliases at the console shouldn't result in the wrong label; this is a normal thing to do after updating the aliases file. Paul. From anebi at iguanait.com Wed Aug 29 07:08:13 2007 From: anebi at iguanait.com (Ali Nebi) Date: Wed, 29 Aug 2007 10:08:13 +0300 Subject: Some questions about /dev/twe* and selinux context In-Reply-To: <20070828160011.AD86973566@hormel.redhat.com> References: <20070828160011.AD86973566@hormel.redhat.com> Message-ID: <1188371293.3559.5.camel@hugo.iguanait.com> Thanks for the tips and answers. I hope that they will fix the problem, i will use some of the techniques that you said me above. This info will be useful for others too. Thanks. Regards, Ali Nebi! From dwalsh at redhat.com Wed Aug 29 10:32:59 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 29 Aug 2007 06:32:59 -0400 Subject: senmail, /etc/aliases.db .... In-Reply-To: <20070828212816.54f1ad40@metropolis.intra.city-fan.org> References: <4c4ba1530708281030y6034c89ar4f07804e4fa1630@mail.gmail.com> <20070828212816.54f1ad40@metropolis.intra.city-fan.org> Message-ID: <46D54B5B.5090403@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > On Tue, 28 Aug 2007 10:30:59 -0700 > "Tom London" wrote: > >> Running Rawhide, targeted/enforcing. >> >> Notice this in /var/log/audit/audit.log: >> >> type=AVC msg=audit(1188316403.485:16): avc: denied { create } for >> pid=2704 comm="newaliases" name="aliases.db" >> scontext=system_u:system_r:sendmail_t:s0 >> tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file >> type=SYSCALL msg=audit(1188316403.485:16): arch=40000003 syscall=5 >> success=no exit=-13 a0=bfa8ddd8 a1=c2 a2=1a0 a3=c2 items=0 ppid=2691 >> pid=2704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 >> sgid=51 fsgid=51 tty=(none) comm="newaliases" >> exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 >> key=(null) >> >> Looks like it is occurring when sendmail gets started during boot. >> >> Running /usr/bin/newalises manually at root console works with no >> AVCs, but leaves /etc/aliases.db with the 'wrong' label: >> >> [root at localhost ~]# ls -Zl /etc/alia* >> -rw-r--r-- 1 system_u:object_r:etc_aliases_t root root 1512 >> 2005-04-25 09:48 /etc/aliases >> -rw-r----- 1 system_u:object_r:etc_t root smmsp 12288 >> 2007-08-28 10:27 /etc/aliases.db >> [root at localhost ~]# restorecon -v /etc/alias* >> restorecon reset /etc/aliases.db context >> system_u:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0 >> [root at localhost ~]# >> >> Should /etc/init.d/sendmail fix the label after running newalises? > > Possibly, but running newaliases at the console shouldn't result in the > wrong label; this is a normal thing to do after updating the aliases > file. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You are right, I need a transition from unconfined to sendmail. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG1UtbrlYvE4MpobMRAjEIAJ9D+TuU/PgO8URggJmD9q71IY+sKwCfbhE0 DFZb+2GY9xc3Afx91VjVvK4= =FsWk -----END PGP SIGNATURE----- From wart at kobold.org Wed Aug 29 22:37:18 2007 From: wart at kobold.org (Michael Thomas) Date: Wed, 29 Aug 2007 15:37:18 -0700 Subject: Nagios Web Interface and SELinux In-Reply-To: <457451D6.9050209@redhat.com> References: <8719b8230612031148x69f8ba99q2d75173b5468733e@mail.gmail.com> <457451D6.9050209@redhat.com> Message-ID: <46D5F51E.20206@kobold.org> Daniel J Walsh wrote: > Ryan Skadberg wrote: >> I have been trying to get nagios up and running on 2 different >> machines. One running FC5 and one running FC6. Nagios itself starts >> up fine, but the web interface fails miserably. >> >> When looking at /var/log/messages, I see things like: >> Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied >> { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" >> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:lib_t:s0 tclass=file >> > Where is this file located? Looks like this needs a context like > httpd_sys_content_t or httpd_sys_script_t. > > > chcon -R -t httpd_sys_content_t PATH_TO_DIR I just ran into the same problem on EPEL-5. It appears that the path for the nagios cgi scripts is wrong in /etc/selinux/targeted/contexts/files/file_contexts: # grep nagios /etc/selinux/targeted/contexts/files/file_contexts /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 [...] This should be: /usr/lib(64)?/nagios/cgi-bin/.+ -- --Wart From fedora01 at grifent.com Thu Aug 30 18:56:48 2007 From: fedora01 at grifent.com (John Griffiths) Date: Thu, 30 Aug 2007 14:56:48 -0400 Subject: gallery2 policy In-Reply-To: <20070830160016.9C6CE73825@hormel.redhat.com> References: <20070830160016.9C6CE73825@hormel.redhat.com> Message-ID: <46D712F0.6040808@grifent.com> I am using the gallery2 tar ball from http://codex.gallery2.org/Downloads ; it stays more up to date. They have a policy for selinux, but the log still had AVCs in it and denials that prevented gallery2 and specifically the watermark plugin from working. File and directory permissions were an issue. One of the directories is shared by samba so it has the context of public_content_rw_t. I used audit2allow to get things working, but I would like someone more knowledgeable than me to take a look as see if I have opened any gaping holes and if so, how to best address the issue. policy_module(gallery, 1.0) require { type unlabeled_t; type httpd_t; type httpd_tmp_t; type httpd_sys_script_t; type public_content_rw_t; class file { read write unlink }; class dir { write remove_name add_name }; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t unlabeled_t:file { read write }; allow httpd_sys_script_t httpd_tmp_t:file { getattr read }; #============= httpd_t ============== allow httpd_t public_content_rw_t:dir { write remove_name add_name }; allow httpd_t public_content_rw_t:file unlink; Thanks, John Griffiths From paul at city-fan.org Thu Aug 30 20:09:38 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 30 Aug 2007 21:09:38 +0100 Subject: gallery2 policy In-Reply-To: <46D712F0.6040808@grifent.com> References: <20070830160016.9C6CE73825@hormel.redhat.com> <46D712F0.6040808@grifent.com> Message-ID: <20070830210938.1fce625b@metropolis.intra.city-fan.org> On Thu, 30 Aug 2007 14:56:48 -0400 John Griffiths wrote: > I am using the gallery2 tar ball from > http://codex.gallery2.org/Downloads ; it stays more up to date. They > have a policy for selinux, but the log still had AVCs in it and > denials that prevented gallery2 and specifically the watermark plugin > from working. File and directory permissions were an issue. One of > the directories is shared by samba so it has the context of > public_content_rw_t. > > I used audit2allow to get things working, but I would like someone > more knowledgeable than me to take a look as see if I have opened any > gaping holes and if so, how to best address the issue. > > > policy_module(gallery, 1.0) > > require { > type unlabeled_t; > type httpd_t; > type httpd_tmp_t; > type httpd_sys_script_t; > type public_content_rw_t; > class file { read write unlink }; > class dir { write remove_name add_name }; > } > > #============= httpd_sys_script_t ============== > allow httpd_sys_script_t unlabeled_t:file { read write }; There shouldn't be any unlabeled files around; the policy should ensure that any files used or created by gallery are labeled properly. If that's done, this rule shouldn't be needed. > allow httpd_sys_script_t file { getattr read }; Not sure about this one. What are the httpd_tmp_t files that gallery is trying to read? > #============= httpd_t ============== > allow httpd_t public_content_rw_t:dir { write remove_name > add_name }; allow httpd_t public_content_rw_t:file unlink; Setting the allow_httpd_anon_write boolean should remove the need for these rules. Paul. From eparis at redhat.com Thu Aug 30 20:29:49 2007 From: eparis at redhat.com (Eric Paris) Date: Thu, 30 Aug 2007 16:29:49 -0400 Subject: gallery2 policy In-Reply-To: <20070830210938.1fce625b@metropolis.intra.city-fan.org> References: <20070830160016.9C6CE73825@hormel.redhat.com> <46D712F0.6040808@grifent.com> <20070830210938.1fce625b@metropolis.intra.city-fan.org> Message-ID: <1188505789.3481.13.camel@localhost.localdomain> On Thu, 2007-08-30 at 21:09 +0100, Paul Howarth wrote: > On Thu, 30 Aug 2007 14:56:48 -0400 > John Griffiths wrote: > > policy_module(gallery, 1.0) > > > > require { > > type unlabeled_t; > > type httpd_t; > > type httpd_tmp_t; > > type httpd_sys_script_t; > > type public_content_rw_t; > > class file { read write unlink }; > > class dir { write remove_name add_name }; > > } > > > > #============= httpd_sys_script_t ============== > > allow httpd_sys_script_t unlabeled_t:file { read write }; > > There shouldn't be any unlabeled files around; the policy should ensure > that any files used or created by gallery are labeled properly. If > that's done, this rule shouldn't be needed. Regardless of the correctness of the gellery2 policy unlabeled_t is (almost) always a bug on one kind or another. Did you create some files with selinux completely disabled rather than just permissive? Do you have these files on a filesystem policy knows nothing about (typically a new FUSE filesystem) Tracking down what files are unlabeled_t and how they got that way is the solution, no rules should allow unlabeled_t From fedora01 at grifent.com Thu Aug 30 21:25:07 2007 From: fedora01 at grifent.com (John Griffiths) Date: Thu, 30 Aug 2007 17:25:07 -0400 Subject: gallery2 policy In-Reply-To: <1188505789.3481.13.camel@localhost.localdomain> References: <20070830160016.9C6CE73825@hormel.redhat.com> <46D712F0.6040808@grifent.com> <20070830210938.1fce625b@metropolis.intra.city-fan.org> <1188505789.3481.13.camel@localhost.localdomain> Message-ID: <46D735B3.7010006@grifent.com> Eric Paris wrote: > On Thu, 2007-08-30 at 21:09 +0100, Paul Howarth wrote: > >> On Thu, 30 Aug 2007 14:56:48 -0400 >> John Griffiths wrote: >> > > >>> policy_module(gallery, 1.0) >>> >>> require { >>> type unlabeled_t; >>> type httpd_t; >>> type httpd_tmp_t; >>> type httpd_sys_script_t; >>> type public_content_rw_t; >>> class file { read write unlink }; >>> class dir { write remove_name add_name }; >>> } >>> >>> #============= httpd_sys_script_t ============== >>> allow httpd_sys_script_t unlabeled_t:file { read write }; >>> >> There shouldn't be any unlabeled files around; the policy should ensure >> that any files used or created by gallery are labeled properly. If >> that's done, this rule shouldn't be needed. >> > > Regardless of the correctness of the gellery2 policy unlabeled_t is > (almost) always a bug on one kind or another. Did you create some files > with selinux completely disabled rather than just permissive? Do you > have these files on a filesystem policy knows nothing about (typically a > new FUSE filesystem) > > Tracking down what files are unlabeled_t and how they got that way is > the solution, no rules should allow unlabeled_t > > > Thanks. I suspected that was a problem. I'll find the unlabeled_t files and see what they are. Strange though, I had just done a touch /.autorelabel and rebooted a couple of days before. Regards, John From anebi at iguanait.com Fri Aug 31 07:22:47 2007 From: anebi at iguanait.com (Ali Nebi) Date: Fri, 31 Aug 2007 10:22:47 +0300 Subject: Nagios Web Interface and SELinux In-Reply-To: <20070830160016.D597473359@hormel.redhat.com> References: <20070830160016.D597473359@hormel.redhat.com> Message-ID: <1188544967.3684.7.camel@vali.iguanait.com> On Thu, 2007-08-30 at 12:00 -0400, fedora-selinux-list-request at redhat.com wrote: > Send fedora-selinux-list mailing list submissions to > fedora-selinux-list at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > or, via email, send a message with subject or body 'help' to > fedora-selinux-list-request at redhat.com > > You can reach the person managing the list at > fedora-selinux-list-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of fedora-selinux-list digest..." > > > Today's Topics: > > 1. Re: Nagios Web Interface and SELinux (Michael Thomas) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 29 Aug 2007 15:37:18 -0700 > From: Michael Thomas > Subject: Re: Nagios Web Interface and SELinux > To: Daniel J Walsh > Cc: fedora-selinux-list at redhat.com > Message-ID: <46D5F51E.20206 at kobold.org> > Content-Type: text/plain; charset=ISO-8859-1 > > Daniel J Walsh wrote: > > Ryan Skadberg wrote: > >> I have been trying to get nagios up and running on 2 different > >> machines. One running FC5 and one running FC6. Nagios itself starts > >> up fine, but the web interface fails miserably. > >> > >> When looking at /var/log/messages, I see things like: > >> Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied > >> { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" > >> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 > >> tcontext=system_u:object_r:lib_t:s0 tclass=file > >> > > Where is this file located? Looks like this needs a context like > > httpd_sys_content_t or httpd_sys_script_t. > > > > > > chcon -R -t httpd_sys_content_t PATH_TO_DIR > > I just ran into the same problem on EPEL-5. It appears that the path > for the nagios cgi scripts is wrong in > /etc/selinux/targeted/contexts/files/file_contexts: > > # grep nagios /etc/selinux/targeted/contexts/files/file_contexts > /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 > [...] > > This should be: > > /usr/lib(64)?/nagios/cgi-bin/.+ -- > > --Wart > > > > ------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > End of fedora-selinux-list Digest, Vol 42, Issue 32 > *************************************************** Hi, i have installed nagios on fedora 6, and i have not problems with selinux there. I can tell you selinux contexts for some needed file, it looks work fine. i don't get audit messages. 1. /etc/nagio - system_u:object_r:nagios_etc_t 2. [anebi at asgard ~]$ ls -Z /etc/nagios/ -rw-rw-r-- root root system_u:object_r:nagios_etc_t cgi.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t commands.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contactgroups.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contacts.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hostgroups.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hosts.cfg -rw-r--r-- apache apache system_u:object_r:nagios_etc_t htpasswd.users -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t nagios.cfg -rw-r--r-- nagios nagios system_u:object_r:nrpe_etc_t nrpe.cfg drwxr-x--- root nagios system_u:object_r:nagios_etc_t private drw-r--r-- nagios nagios system_u:object_r:nagios_etc_t sample drwxr-xr-x nagios nagios system_u:object_r:nagios_etc_t services -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t timeperiods.cfg 3. [anebi at asgard ~]$ ls -Zd /usr/share/nagios/ drwxr-xr-x root root system_u:object_r:usr_t /usr/share/nagios/ 4. [anebi at asgard ~]$ ls -Z /usr/share/nagios/ drwxr-xr-x root root system_u:object_r:usr_t html 5. [anebi at asgard ~]$ ls -Z /usr/share/nagios/html/ drwxr-xr-x root root system_u:object_r:usr_t contexthelp drwxr-xr-x root root system_u:object_r:usr_t docs drwxr-xr-x root root system_u:object_r:usr_t images -rw-r--r-- root root system_u:object_r:usr_t index.html -rw-r--r-- root root system_u:object_r:usr_t main.html drwxr-xr-x root root system_u:object_r:usr_t media -rw-r--r-- root root system_u:object_r:usr_t robots.txt -rw-r--r-- root root system_u:object_r:usr_t side.html drwxr-xr-x root root system_u:object_r:usr_t ssi drwxr-xr-x root root system_u:object_r:usr_t stylesheets 6. [anebi at asgard ~]$ ls -Zd /usr/lib64/nagios/ drwxr-xr-x root root system_u:object_r:lib_t /usr/lib64/nagios/ 7. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/ drwxr-xr-x root root system_u:object_r:lib_t cgi-bin drwxr-xr-x root root system_u:object_r:bin_t plugins 8. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/cgi-bin/ -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t avail.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t cmd.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t config.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t extinfo.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t histogram.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t history.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t notifications.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t outages.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t showlog.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t status.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statusmap.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswml.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswrl.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t summary.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t tac.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t trends.cgi 9. [anebi at asgard ~]$ ls -Z /usr/lib64/nagios/plugins/ -rwxr-xr-x root root system_u:object_r:bin_t check_ackpoller lrwxrwxrwx root root system_u:object_r:bin_t check_clamd -> check_tcp -rwsr-x--- root nagios system_u:object_r:bin_t check_dhcp -rwxr-xr-x root root system_u:object_r:bin_t check_disk lrwxrwxrwx root root system_u:object_r:bin_t check_ftp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_http -rwsr-xr-x root root system_u:object_r:bin_t check_ide_smart lrwxrwxrwx root root system_u:object_r:bin_t check_imap -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_jabber -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_linux_raid -rwxr-xr-x root root system_u:object_r:bin_t check_load -rwxr-xr-x root root system_u:object_r:bin_t check_nagios lrwxrwxrwx root root system_u:object_r:bin_t check_nntp -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_nntps -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_nrpe -rwxr-xr-x root root system_u:object_r:bin_t check_ping lrwxrwxrwx root root system_u:object_r:bin_t check_pop -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_sensors lrwxrwxrwx root root system_u:object_r:bin_t check_simap -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_spop -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_ssh lrwxrwxrwx root root system_u:object_r:bin_t check_ssmtp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_udp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_users drwxr-xr-x root root system_u:object_r:bin_t eventhandlers -rwxr-xr-x root root system_u:object_r:bin_t negate -rwxr-xr-x root root system_u:object_r:bin_t notify_by_reliable -rwxr-xr-x root root system_u:object_r:bin_t urlize -rw-r--r-- root root system_u:object_r:bin_t utils.pm -rwxr-xr-x root root system_u:object_r:bin_t utils.sh 10. [anebi at asgard ~]$ ls -Z /var/log/nagios/ drwxr-xr-x nagios nagios system_u:object_r:nagios_log_t archives -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t comments.dat -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t downtime.dat -rw-r--r-- nagios nagios system_u:object_r:nagios_log_t nagios.log -rw-r--r-- nagios nagios system_u:object_r:nagios_log_t objects.cache -rw------- nagios nagios system_u:object_r:nagios_log_t retention.dat -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t status.dat 11. [anebi at asgard ~]$ ls -Z /var/run/nagios.pid -rw-r--r-- nagios nagios system_u:object_r:initrc_var_run_t /var/run/nagios.pid I'm not sure about this, i think i had messages for this Now our systems are running on permissive mode. I hope that, this info can help you. Regards, Ali Nebi! From fedora01 at grifent.com Fri Aug 31 15:34:05 2007 From: fedora01 at grifent.com (John Griffiths) Date: Fri, 31 Aug 2007 11:34:05 -0400 Subject: find aborted on -context switch In-Reply-To: <1188505789.3481.13.camel@localhost.localdomain> References: <20070830160016.9C6CE73825@hormel.redhat.com> <46D712F0.6040808@grifent.com> <20070830210938.1fce625b@metropolis.intra.city-fan.org> <1188505789.3481.13.camel@localhost.localdomain> Message-ID: <46D834ED.8070407@grifent.com> I tried to use find to find -context \*unlabeled_t and it aborted. find / -context \*unlabeled_t *** glibc detected *** find: free(): invalid pointer: 0xbfeca893 *** ======= Backtrace: ========= /lib/libc.so.6[0x47d89a96] /lib/libc.so.6(cfree+0x90)[0x47d8cfb0] /lib/libselinux.so.1(freecon+0x1d)[0x484d87ed] find[0x804fefa] find[0x80503d0] find[0x805038c] find[0x804b8c7] find[0x804bbd0] find[0x804bac0] find[0x804bac0] find[0x804c011] find[0x804aabb] find[0x804ab74] find[0x804b20e] /lib/libc.so.6(__libc_start_main+0xdc)[0x47d38dec] find[0x8049e51] ======= Memory map: ======== 00110000-00111000 r-xp 00110000 00:00 0 [vdso] 08048000-0806c000 r-xp 00000000 fd:00 1818507 /usr/bin/find 0806c000-0806e000 rwxp 00023000 fd:00 1818507 /usr/bin/find 09f1a000-0a052000 rwxp 09f1a000 00:00 0 47d06000-47d1f000 r-xp 00000000 fd:00 4288594 /lib/ld-2.5.so 47d1f000-47d20000 r-xp 00019000 fd:00 4288594 /lib/ld-2.5.so 47d20000-47d21000 rwxp 0001a000 fd:00 4288594 /lib/ld-2.5.so 47d23000-47e5d000 r-xp 00000000 fd:00 4289741 /lib/libc-2.5.so 47e5d000-47e5f000 r-xp 0013a000 fd:00 4289741 /lib/libc-2.5.so 47e5f000-47e60000 rwxp 0013c000 fd:00 4289741 /lib/libc-2.5.so 47e60000-47e63000 rwxp 47e60000 00:00 0 47e8e000-47e90000 r-xp 00000000 fd:00 4289745 /lib/libdl-2.5.so 47e90000-47e91000 r-xp 00001000 fd:00 4289745 /lib/libdl-2.5.so 47e91000-47e92000 rwxp 00002000 fd:00 4289745 /lib/libdl-2.5.so 48115000-48120000 r-xp 00000000 fd:00 4289748 /lib/libgcc_s-4.1.2-20070626.so.1 48120000-48121000 rwxp 0000a000 fd:00 4289748 /lib/libgcc_s-4.1.2-20070626.so.1 48487000-484c2000 r-xp 00000000 fd:00 4289756 /lib/libsepol.so.1 484c2000-484c3000 rwxp 0003b000 fd:00 4289756 /lib/libsepol.so.1 484c3000-484cd000 rwxp 484c3000 00:00 0 484cf000-484e4000 r-xp 00000000 fd:00 4289757 /lib/libselinux.so.1 484e4000-484e6000 rwxp 00015000 fd:00 4289757 /lib/libselinux.so.1 b7c00000-b7c21000 rw-p b7c00000 00:00 0 b7c21000-b7d00000 ---p b7c21000 00:00 0 b7d3b000-b7f3b000 r--p 00000000 fd:00 1814079 /usr/lib/locale/locale-archive b7f3b000-b7f3d000 rw-p b7f3b000 00:00 0 b7f4e000-b7f55000 r--s 00000000 fd:00 1866355 /usr/lib/gconv/gconv-modules.cache bfeb8000-bfece000 rw-p bfeb8000 00:00 0 [stack] Aborted Bug? Regards, John Griffiths From fedora01 at grifent.com Fri Aug 31 16:38:24 2007 From: fedora01 at grifent.com (John Griffiths) Date: Fri, 31 Aug 2007 12:38:24 -0400 Subject: gallery2 policy In-Reply-To: <20070831160012.9EA8D737BA@hormel.redhat.com> References: <20070831160012.9EA8D737BA@hormel.redhat.com> Message-ID: <46D84400.4090008@grifent.com> >> allow httpd_sys_script_t file { getattr read }; >> > > Not sure about this one. What are the httpd_tmp_t files that gallery is > trying to read? > > Gallery2 watermark plugin uses graphic packages such as NetPbm, ImageMagick, Dcraw, ffmpeg, GD to convert graphic files and re-write them with a watermark image superimposed on them. The typical AVC for getattr and read are: Aug 25 18:06:46 gei kernel: audit(1188079606.937:995): avc: denied { getattr } for pid=19252 comm="composite" name="kohokan_com_png" dev=dm-0 ino=2163199 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file . . . Aug 25 19:07:04 gei kernel: audit(1188083224.885:1066): avc: denied { read } for pid=19870 comm="pngtopnm" name="kohokan_com_png" dev=dm-0 ino=2163199 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file The kohokan.com.png is a watermark file that is uploaded through the web interface. >> #============= httpd_t ============== >> allow httpd_t public_content_rw_t:dir { write remove_name >> add_name }; allow httpd_t public_content_rw_t:file unlink; >> > > Setting the allow_httpd_anon_write boolean should remove the need for > these rules. > Thanks. Rules removed and boolean set. > Paul. From fedora01 at grifent.com Fri Aug 31 17:19:26 2007 From: fedora01 at grifent.com (John Griffiths) Date: Fri, 31 Aug 2007 13:19:26 -0400 Subject: gallery2 policy In-Reply-To: <46D84400.4090008@grifent.com> References: <20070831160012.9EA8D737BA@hormel.redhat.com> <46D84400.4090008@grifent.com> Message-ID: <46D84D9E.7000406@grifent.com> Did a re-installation of gallery2 after modifying the policy to remove the unlabeled_t rule and enabling the seboolean allow_httpd_anon_write and removing the two rules allow httpd_t public_content_rw_t:dir { write remove_name add_name }; allow httpd_t public_content_rw_t:file unlink;. New policy is: policy_module(gallery, 1.0.3) require { type tmp_t; type httpd_t; type httpd_tmp_t; type httpd_sys_script_t; class file { read write unlink getattr }; class dir { write remove_name add_name }; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_tmp_t:file { getattr read }; #============= httpd_t ============== allow httpd_t tmp_t:file { read getattr }; It is the watermark package that is trying to do things with the unlabeled_t context. Here are the AVCs. Aug 31 13:01:54 gei kernel: audit(1188579714.051:139): avc: denied { read write } for pid=885 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.067:140): avc: denied { read write } for pid=887 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.080:141): avc: denied { read write } for pid=889 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.093:142): avc: denied { read write } for pid=891 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.105:143): avc: denied { read write } for pid=893 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.119:144): avc: denied { read write } for pid=895 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.132:145): avc: denied { read write } for pid=897 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.144:146): avc: denied { read write } for pid=899 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.158:147): avc: denied { read write } for pid=901 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.171:148): avc: denied { read write } for pid=903 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Aug 31 13:01:54 gei kernel: audit(1188579714.184:149): avc: denied { read write } for pid=905 comm="sh" name="[eventpoll]" dev=anon_inodefs ino=289 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file So what choices do I have? Regards, John John Griffiths wrote: > >>> allow httpd_sys_script_t file { getattr read }; >>> >> >> Not sure about this one. What are the httpd_tmp_t files that gallery is >> trying to read? >> >> > Gallery2 watermark plugin uses graphic packages such as NetPbm, > ImageMagick, Dcraw, ffmpeg, GD to convert graphic files and re-write > them with a watermark image superimposed on them. The typical AVC for > getattr and read are: > > Aug 25 18:06:46 gei kernel: audit(1188079606.937:995): avc: denied > { getattr } for pid=19252 comm="composite" name="kohokan_com_png" > dev=dm-0 ino=2163199 > scontext=system_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file > . > . > . > Aug 25 19:07:04 gei kernel: audit(1188083224.885:1066): avc: > denied { read } for pid=19870 comm="pngtopnm" > name="kohokan_com_png" dev=dm-0 ino=2163199 > scontext=system_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file > > The kohokan.com.png is a watermark file that is uploaded through the > web interface. > >>> #============= httpd_t ============== >>> allow httpd_t public_content_rw_t:dir { write remove_name >>> add_name }; allow httpd_t public_content_rw_t:file unlink; >>> >> >> Setting the allow_httpd_anon_write boolean should remove the need for >> these rules. >> > Thanks. Rules removed and boolean set. >> Paul. > From fedora01 at grifent.com Fri Aug 31 17:27:02 2007 From: fedora01 at grifent.com (John Griffiths) Date: Fri, 31 Aug 2007 13:27:02 -0400 Subject: gallery2 policy In-Reply-To: <46D84D9E.7000406@grifent.com> References: <20070831160012.9EA8D737BA@hormel.redhat.com> <46D84400.4090008@grifent.com> <46D84D9E.7000406@grifent.com> Message-ID: <46D84F66.1030008@grifent.com> This is what audit2allow is showing now. tail -n60 /var/log/messages | audit2allow -m local module local 1.0; require { type unlabeled_t; type default_t; type boot_t; type httpd_t; type httpd_sys_script_t; type lost_found_t; class lnk_file read; class dir getattr; class file { read write getattr }; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t unlabeled_t:file { read write }; #============= httpd_t ============== allow httpd_t boot_t:dir getattr; allow httpd_t default_t:file getattr; allow httpd_t default_t:lnk_file read; allow httpd_t lost_found_t:dir getattr; It is getting worse. Regards, John From icon at fedoraproject.org Fri Aug 31 17:45:15 2007 From: icon at fedoraproject.org (Konstantin Ryabitsev) Date: Fri, 31 Aug 2007 13:45:15 -0400 Subject: Is execmem/execstack normal for apache+php? Message-ID: Hello, all: It seems my httpd process wants execstack and execheap -- that would be normal for PHP, right? Cheers, -- Konstantin Ryabitsev Montr?al, Qu?bec From icon at fedoraproject.org Fri Aug 31 17:49:06 2007 From: icon at fedoraproject.org (Konstantin Ryabitsev) Date: Fri, 31 Aug 2007 13:49:06 -0400 Subject: Is execstack/execmem for apache+php normal? Message-ID: Hello, all: It seems that my httpd process wants execstack and execmem. Is that normal for PHP? Cheers, -- Konstantin Ryabitsev Montr?al, Qu?bec (PS: If this is a dupe of my previous post, I apologize -- gmail just hiccoughed, so I'm not sure if it got sent). From stefmanos at gmail.com Fri Aug 31 19:12:06 2007 From: stefmanos at gmail.com (Stephanos Manos) Date: Fri, 31 Aug 2007 22:12:06 +0300 Subject: lost+found labeling Message-ID: Hi I'm in the proses of building a hole server and i was wondering what is the correct way of labeling the lost+found directory of various file systems that will be mounted under the /srv. I have labeled /srv as public_content_rw_t with semanage fcontext -a -t public_content_rw_t '/srv(/.*)?' but that results to lost+found being labeled as public_content_rw_t so i also run semange fcontext -a -f -d -t lost_found_t '/srv/(.*/)lost\+found' my question is: in /etc/selinux/targeted/contexts/files/file_contexts i see two lines for /lost+found a. /lost\+found/.* <> b. /lost\+found -d system_u:object_r:lost_found_t:s0 the second is created with the above mentioned command who do i create the first or i don't needed? Regards Stephanos Manos From dwalsh at redhat.com Fri Aug 31 20:59:57 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 31 Aug 2007 16:59:57 -0400 Subject: Is execstack/execmem for apache+php normal? In-Reply-To: References: Message-ID: <46D8814D.8060505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin Ryabitsev wrote: > Hello, all: > > It seems that my httpd process wants execstack and execmem. Is that > normal for PHP? > > > Cheers, No. What OS and what platform? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG2IFNrlYvE4MpobMRAtqHAJkB2TSzr1UrMPG0N8qe1lUXyTXqBwCggNGM qA2ZombRIPEfyLoEbHRK7uU= =RxEk -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Aug 31 21:05:56 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 31 Aug 2007 17:05:56 -0400 Subject: gallery2 policy In-Reply-To: <46D84F66.1030008@grifent.com> References: <20070831160012.9EA8D737BA@hormel.redhat.com> <46D84400.4090008@grifent.com> <46D84D9E.7000406@grifent.com> <46D84F66.1030008@grifent.com> Message-ID: <46D882B4.3000606@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Griffiths wrote: > This is what audit2allow is showing now. > > tail -n60 /var/log/messages | audit2allow -m local > > module local 1.0; > > require { > type unlabeled_t; > type default_t; > type boot_t; > type httpd_t; > type httpd_sys_script_t; > type lost_found_t; > class lnk_file read; > class dir getattr; > class file { read write getattr }; > } > > #============= httpd_sys_script_t ============== > allow httpd_sys_script_t unlabeled_t:file { read write }; > > #============= httpd_t ============== > allow httpd_t boot_t:dir getattr; > allow httpd_t default_t:file getattr; > allow httpd_t default_t:lnk_file read; > allow httpd_t lost_found_t:dir getattr; > > It is getting worse. > > Regards, > John > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What OS and what version of policy are you running. You might want to yum update selinux-policy default_t looks like you added some directory at / and did not label it with httpd_sys_content_t? The getattr can probably be dontaudit since I doubt your app actually wants to look at these directories. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG2IK0rlYvE4MpobMRAuIhAJ9owSu6/rwqV2HYt/RCHOll4nl8qgCfQoaT yVXCjJQYxht6xa/tktGp26I= =Hc/F -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Aug 31 21:10:48 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 31 Aug 2007 17:10:48 -0400 Subject: Nagios Web Interface and SELinux In-Reply-To: <46D5F51E.20206@kobold.org> References: <8719b8230612031148x69f8ba99q2d75173b5468733e@mail.gmail.com> <457451D6.9050209@redhat.com> <46D5F51E.20206@kobold.org> Message-ID: <46D883D8.50406@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Thomas wrote: > Daniel J Walsh wrote: >> Ryan Skadberg wrote: >>> I have been trying to get nagios up and running on 2 different >>> machines. One running FC5 and one running FC6. Nagios itself starts >>> up fine, but the web interface fails miserably. >>> >>> When looking at /var/log/messages, I see things like: >>> Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied >>> { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" >>> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 >>> tcontext=system_u:object_r:lib_t:s0 tclass=file >>> >> Where is this file located? Looks like this needs a context like >> httpd_sys_content_t or httpd_sys_script_t. >> >> >> chcon -R -t httpd_sys_content_t PATH_TO_DIR > > I just ran into the same problem on EPEL-5. It appears that the path > for the nagios cgi scripts is wrong in > /etc/selinux/targeted/contexts/files/file_contexts: > > # grep nagios /etc/selinux/targeted/contexts/files/file_contexts > /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 > [...] > > This should be: > > /usr/lib(64)?/nagios/cgi-bin/.+ -- > > --Wart You can add this yourself for now. I will update the U2 selinux policy to fix this. semodule fcontext -a -t nagios_cgi_exec_t \ "/usr/lib(64)?/nagios/cgi-bin/.+" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG2IPYrlYvE4MpobMRAsSbAKDHe0g9A646OEU6xCx50B2pNn6PEACeM+aO 1QJvVWEkDGBmfSI1ty4cQPY= =X4vZ -----END PGP SIGNATURE----- From icon at fedoraproject.org Fri Aug 31 22:13:49 2007 From: icon at fedoraproject.org (Konstantin Ryabitsev) Date: Fri, 31 Aug 2007 18:13:49 -0400 Subject: Is execstack/execmem for apache+php normal? In-Reply-To: <46D8814D.8060505@redhat.com> References: <46D8814D.8060505@redhat.com> Message-ID: On 8/31/07, Daniel J Walsh wrote: > > It seems that my httpd process wants execstack and execmem. Is that > > normal for PHP? > > > No. What OS and what platform? Hi, Daniel: I tracked it down to php-pecl-pdflib and ultimately to: # execstack -q /usr/lib/libpdf.so.6 X /usr/lib/libpdf.so.6 With oracle-instantclient wanting execmod and execheap on top of that, I might as well just not bother. :/ Cheers, -- Konstantin Ryabitsev Montr?al, Qu?bec From lists at ebourne.me.uk Fri Aug 31 23:28:00 2007 From: lists at ebourne.me.uk (Martin Ebourne) Date: Fri, 31 Aug 2007 23:28:00 +0000 (UTC) Subject: setroubleshootd using excessive memory Message-ID: Just noticed a problem with my laptop fully using swap and a major culprit seems to be setroubleshootd. From top it appeared to be using excessive vsize: 1881 root 20 0 611m 1484 524 S 0.0 0.1 0:21.17 setroubleshootd So I restarted it: # free total used free shared buffers cached Mem: 1027704 637460 390244 0 4496 46400 -/+ buffers/cache: 586564 441140 Swap: 1048568 1023676 24892 # service setroubleshoot restart Stopping setroubleshootd: free [ OK ] Starting setroubleshootd: [ OK ] # free total used free shared buffers cached Mem: 1027704 630096 397608 0 5172 47336 -/+ buffers/cache: 577588 450116 Swap: 1048568 628444 420124 # So it was was 400MB in size (and all swapped due to recent memory pressure). This seems somewhat excessive. Also after I'd restarted setroubleshootd, auditd went wild and maxed the cpu out until I restarted that too. I'm using fully updated Fedora 7. setroubleshoot-server-1.9.4-2.fc7 2.6.22.1-41.fc7 #1 SMP Fri Jul 27 18:21:43 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux 00:24:02 up 8 days, 8:22, 7 users, load average: 0.54, 1.72, 3.20 Cheers, Martin.